Virus again

View previous topic View next topic Go down

Virus again

Post by Danimal on Wed Oct 21, 2009 2:47 am

I just had you guys help me a couple of days ago and my brother decided to go on some random website/downloading some random crap on my computer and now it's infected again. ARG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:11 PM, on 10/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Temp\wpv161255703227.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\restorer64_a.exe
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\program files\ncsoft\launcher\NCLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\rundll22.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Daniel\restorer64_a.exe
C:\Documents and Settings\Daniel\Application Data\seres.exe
C:\Documents and Settings\Daniel\Application Data\svcst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Daniel\Desktop\scanner.exe.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe cpcp.cpo bef0regiiav
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\Temp\wpv161255703227.exe
O4 - HKLM\..\Run: [restorer64_a] C:\WINDOWS\system32\restorer64_a.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [RegistryMonitor1] C:\WINDOWS\system32\qtplugin.exe
O4 - HKLM\..\Run: [Antivirus Pro 2010] "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
O4 - HKLM\..\Run: [Yjudulenelanave] rundll32.exe "C:\WINDOWS\emuroquqofolinin.dll",Startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [NCsoft Launcher] C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\rundll22.exe
O4 - HKCU\..\Run: [restorer64_a] C:\Documents and Settings\Daniel\restorer64_a.exe
O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\Daniel\Application Data\seres.exe
O4 - HKCU\..\Run: [svchost] C:\Documents and Settings\Daniel\Application Data\svcst.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: zavupd32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c6635fea52a) (gupdate1c9c6635fea52a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8173 bytes

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Wed Oct 21, 2009 9:15 pm

bump

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Dr Jay on Wed Oct 21, 2009 11:09 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302069
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Thu Oct 22, 2009 6:26 am

Certain files cannot be removed:
hkey_local_machine/software/microsoft/windows/currentversion/run/Regedit32
hkey_local_machine/software/system/currentcontrolset/control/lsa/notification packages data: agryui31.dll

Malwarebytes' Anti-Malware 1.41
Database version: 2977
Windows 5.1.2600 Service Pack 2

10/21/2009 11:23:21 PM
mbam-log-2009-10-21 (23-23-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 237436
Time elapsed: 1 hour(s), 12 minute(s), 16 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 11
Registry Data Items Infected: 5
Folders Infected: 4
Files Infected: 33

Memory Processes Infected:
C:\Documents and Settings\Daniel\Application Data\seres.exe (Rogue.AntiVirusPro) -> Unloaded process successfully.
C:\Documents and Settings\Daniel\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Unloaded process successfully.
C:\WINDOWS\temp\wpv641255703227.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\restorer64_a.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrymonitor1 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\restorer64_a (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\restorer64_a (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: agryui31.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe cpcp.cpo bef0regiiav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Agryui31.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Daniel\Application Data\lizkavd.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\B8GNQ9Z4\Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\seres.exe (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv641255703227.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\jicacace.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Local Settings\temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv291255594149.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv381255492056.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv641255137485.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\restorer64_a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\restorer64_a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Dr Jay on Thu Oct 22, 2009 3:13 pm

Please download ComboFix from [You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

In your next reply, please include the ComboFix log and the Add-Remove Programs log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302069
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Thu Oct 22, 2009 7:44 pm

OK "%userprofile%\desktop\commy.exe" /stepdel cant be found?

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Fri Oct 23, 2009 3:10 am

Lets try this again, im going to rescan my computer on hijack.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:40 PM, on 10/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\commy.exe\CF8281.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\program files\ncsoft\launcher\NCLauncher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Temp\wpv931255562528.exe
C:\WINDOWS\Temp\wpv731255703227.exe
C:\WINDOWS\system32\restorer64_a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\rundll22.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sort.exe
C:\Documents and Settings\Daniel\Application Data\seres.exe
C:\Documents and Settings\Daniel\Application Data\svcst.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\22856831\22856831.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Daniel\Desktop\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe cpcp.cpo bef0regiiav
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [restorer64_a] C:\WINDOWS\system32\restorer64_a.exe
O4 - HKLM\..\Run: [14812218] C:\DOCUME~1\ALLUSE~1\APPLIC~1\14812218\14812218.exe
O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\Temp\wpv731255703227.exe
O4 - HKLM\..\Run: [22856831] C:\DOCUME~1\ALLUSE~1\APPLIC~1\22856831\22856831.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [NCsoft Launcher] C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\rundll22.exe
O4 - HKCU\..\Run: [restorer64_a] C:\Documents and Settings\Daniel\restorer64_a.exe
O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\Daniel\Application Data\seres.exe
O4 - HKCU\..\Run: [svchost] C:\Documents and Settings\Daniel\Application Data\svcst.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: zavupd32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c6635fea52a) (gupdate1c9c6635fea52a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7056 bytes

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Fri Oct 23, 2009 4:09 am

ComboFix 09-10-21.02 - Daniel 10/22/2009 20:47.16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1573 [GMT -7:00]
Running from: c:\documents and settings\Daniel\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\22856831
c:\documents and settings\All Users\Application Data\22856831\22856831.exe
c:\documents and settings\Daniel\Application Data\lizkavd.exe
c:\documents and settings\Daniel\Application Data\seres.exe
c:\documents and settings\Daniel\Application Data\svcst.exe
c:\documents and settings\Daniel\Application Data\wiaserva.log
c:\documents and settings\Daniel\Desktop\Security Tool.lnk
c:\documents and settings\Daniel\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Daniel\Start Menu\Programs\Security Tool.lnk
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\14812218\14812218.exe
c:\documents and settings\Daniel\Application Data\wiaserva.log
c:\documents and settings\Daniel\restorer64_a.exe
c:\documents and settings\Daniel\Start Menu\Programs\Security Tool.lnk
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\qtplugin.exe
c:\windows\system32\restorer64_a.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\agp440.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 03:56 . 2009-10-23 03:56 94112 -c--a-w- c:\windows\system32\dllcache\agp440.sys
2009-10-23 03:55 . 2009-10-23 03:55 58729 ----a-w- c:\windows\system32\restorer64_a.exe
2009-10-23 03:55 . 2009-10-23 03:55 58729 ----a-w- c:\documents and settings\Daniel\restorer64_a.exe
2009-10-23 03:12 . 2009-10-23 03:12 -------- d-----w- c:\documents and settings\Daniel\Application Data\AVG8
2009-10-22 06:19 . 2009-10-22 06:19 19442 ----a-w- c:\windows\system32\aniny.com
2009-10-22 03:49 . 2009-10-22 04:16 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-10-21 14:32 . 2009-10-21 14:34 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\ApplicationHistory
2009-10-21 01:50 . 2009-10-22 18:57 120 ----a-w- c:\windows\Hjigijevula.dat
2009-10-21 01:50 . 2009-10-22 07:19 0 ----a-w- c:\windows\Ptale.bin
2009-10-21 01:50 . 2009-10-21 01:50 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\{07775275-401E-4BC4-8833-D4BDF5C09385}
2009-10-21 01:49 . 2009-10-21 01:49 11930 ----a-w- c:\windows\ihuqipofu.com
2009-10-21 01:46 . 2009-10-23 03:55 55296 ----a-w- c:\windows\rundll22.exe
2009-10-20 13:56 . 2009-10-20 13:56 -------- d-----w- c:\program files\MSXML 6.0
2009-10-20 04:11 . 2009-08-04 14:00 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-20 04:11 . 2009-08-04 13:58 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-20 04:11 . 2009-08-04 13:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-20 04:11 . 2009-08-04 13:13 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-10-19 19:42 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-19 13:20 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-19 02:11 . 2009-10-19 02:15 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\AIM
2009-10-19 02:11 . 2009-10-19 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-19 02:11 . 2009-10-19 02:11 -------- d-----w- c:\program files\AIM
2009-10-19 02:10 . 2009-10-19 02:10 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-10-19 01:27 . 2001-08-18 05:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-10-19 01:26 . 2004-08-04 00:56 400384 -c--a-w- c:\windows\system32\dllcache\fxsxp32.dll
2009-10-19 01:24 . 2001-08-23 14:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-10-19 00:06 . 2001-08-23 14:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-10-19 00:06 . 2001-08-23 14:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-10-19 00:06 . 2001-08-23 14:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-10-19 00:06 . 2001-08-23 14:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-10-18 22:40 . 2009-10-18 22:40 -------- d-----w- c:\program files\CCleaner
2009-10-18 21:55 . 2009-10-18 21:55 -------- d-----w- C:\_OTM
2009-10-17 02:57 . 2009-10-18 17:54 1580 ----a-w- c:\documents and settings\Daniel\FilterData.dat
2009-10-15 03:13 . 2009-10-15 03:58 -------- d-----w- c:\program files\phdgaq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 03:56 . 2009-10-23 03:56 159344 ----a-w- c:\documents and settings\Daniel\Application Data\lizkavd.exe
2009-10-23 03:56 . 2008-09-14 21:13 94112 ----a-w- c:\windows\system32\drivers\AGP440.sys
2009-10-23 03:56 . 2009-10-23 03:56 44032 ----a-w- c:\documents and settings\Daniel\Application Data\svcst.exe
2009-10-23 03:56 . 2009-10-23 03:56 44032 ----a-w- c:\documents and settings\Daniel\Application Data\seres.exe
2009-10-23 03:34 . 2008-01-13 05:10 -------- d-----w- c:\program files\Warcraft III
2009-10-23 03:31 . 2008-06-01 21:45 -------- d-----w- c:\program files\AVG
2009-10-23 03:30 . 2008-06-01 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-22 06:38 . 2009-10-22 06:38 10032 ----a-w- c:\program files\Common Files\eheh.db
2009-10-21 03:50 . 2007-12-21 19:12 -------- d-----w- c:\program files\Steam
2009-10-19 01:23 . 2007-12-18 06:52 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-19 00:14 . 2008-01-13 23:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-19 00:13 . 2008-10-01 05:28 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-18 01:07 . 2009-07-18 06:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-17 16:23 . 2007-12-18 07:00 88568 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-17 14:12 . 2008-12-02 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-17 14:11 . 2008-12-02 02:10 -------- d-----w- c:\program files\Microsoft Works
2009-10-02 03:42 . 2008-01-13 03:06 -------- d-----w- c:\program files\iTunes
2009-09-28 06:58 . 2009-03-13 04:57 7 ----a-w- c:\windows\sbacknt.bin
2009-09-25 05:56 . 2004-08-04 00:56 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-20 00:04 . 2009-09-19 05:17 -------- d-----w- c:\documents and settings\Daniel\Application Data\GetRightToGo
2009-09-20 00:04 . 2009-09-20 00:03 -------- d-----w- c:\program files\NCSoft
2009-09-20 00:03 . 2007-12-18 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-19 23:55 . 2009-09-19 23:55 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-12 17:27 . 2009-07-07 00:35 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-12 17:20 . 2009-07-07 00:35 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-11 14:33 . 2004-08-04 00:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-07-18 06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-07-18 06:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2004-08-04 00:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\Common Files\Real
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\Real
2009-08-30 09:15 . 2007-12-18 07:43 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-30 09:15 . 2007-12-18 07:43 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-30 09:08 . 2009-08-30 09:08 -------- d-----w- c:\documents and settings\Daniel\Application Data\FFSJ
2009-08-26 08:16 . 2004-08-04 00:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 04:58 . 2008-11-07 08:58 -------- d-----w- c:\documents and settings\Daniel\Application Data\Move Networks
2009-08-26 02:34 . 2008-01-13 05:12 79373 ----a-w- c:\windows\War3Unin.dat
2009-08-19 03:47 . 2009-08-19 03:47 16458 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\avysocaru.dat
2009-08-19 03:47 . 2009-08-19 03:47 11072 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\ojajacuhy.exe
2009-08-18 14:40 . 2009-08-18 14:40 18139 ----a-w- c:\documents and settings\Daniel\Application Data\yromezepa.sys
2009-08-18 14:40 . 2009-08-18 14:40 18026 ----a-w- c:\documents and settings\Daniel\Application Data\xohubi.bin
2009-08-18 14:40 . 2009-08-18 14:40 17332 ----a-w- c:\documents and settings\All Users\Application Data\jevewyf.pif
2009-08-18 14:40 . 2009-08-18 14:40 16627 ----a-w- c:\program files\Common Files\sytohuv.pif
2009-08-18 14:40 . 2009-08-18 14:40 15727 ----a-w- c:\documents and settings\Daniel\Application Data\xygimybi.pif
2009-08-18 14:40 . 2009-08-18 14:40 15313 ----a-w- c:\documents and settings\All Users\Application Data\xaqomuzen.pif
2009-08-18 14:40 . 2009-08-18 14:40 14325 ----a-w- c:\windows\iducy.pif
2009-08-18 14:40 . 2009-08-18 14:40 12214 ----a-w- c:\program files\Common Files\evyh.com
2009-08-18 14:40 . 2009-08-18 14:40 12038 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\ucec.pif
2009-08-18 14:40 . 2009-08-18 14:40 11119 ----a-w- c:\program files\Common Files\ucynyfoq.dat
2009-08-18 06:42 . 2009-08-18 06:42 10969 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\vufuwos.dll
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 02:24 . 2007-12-18 06:53 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2007-12-18 06:53 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2007-12-18 06:53 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2007-12-18 06:53 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-04 00:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2007-12-18 06:53 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-12-20 03:22 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-12-20 03:22 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2007-12-18 06:53 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-04 00:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:58 . 2004-08-03 23:18 2136064 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2015744 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 04:53 . 2004-08-04 00:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2001-08-23 14:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-02-07 02:14 . 2009-02-07 02:14 3143 ----a-w- c:\program files\images.jpeg
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-10-23 03:56 . 67A64CDF111144F04932946930668A82 . 94112 . . [------] . . c:\windows\system32\dllcache\agp440.sys
[-] 2009-10-23 03:56 . 67A64CDF111144F04932946930668A82 . 94112 . . [------] . . c:\windows\system32\drivers\AGP440.sys
[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[7] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\agp440.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-10-22_19.22.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 03:54 . 2009-07-12 03:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 08:07 . 2009-07-12 08:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 08:19 . 2009-07-12 08:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-10-23 03:55 . 2009-10-23 03:55 58729 c:\windows\temp\wpv701256085323.exe
+ 2009-10-23 03:55 . 2009-10-23 03:55 21504 c:\windows\temp\wpv621255703227.exe
+ 2009-10-23 03:55 . 2009-10-23 03:55 17920 c:\windows\temp\wpv351255562528.exe
+ 2009-10-23 03:55 . 2009-10-23 03:55 30208 c:\windows\temp\wpv311256213260.exe
+ 2009-10-23 03:55 . 2009-10-23 03:55 48640 c:\windows\temp\wpv101255594149.exe
+ 2004-08-04 00:56 . 2004-08-04 00:56 48640 c:\windows\Agryui31.dll
+ 2009-07-12 08:12 . 2009-07-12 08:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 08:09 . 2009-07-12 08:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 08:08 . 2009-07-12 08:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2009-10-23 03:56 . 2009-10-23 03:56 410112 c:\windows\temp\_ex-08.exe
+ 2009-10-23 03:31 . 2009-10-23 03:31 424448 c:\windows\Installer\1a104de.msi
+ 2009-07-12 03:46 . 2009-07-12 03:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 03:46 . 2009-07-12 03:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"NCsoft Launcher"="c:\program files\ncsoft\launcher\NCLauncher.exe" [2009-10-16 38184]
"ttool"="c:\windows\rundll22.exe" [2009-10-23 55296]
"restorer64_a"="c:\documents and settings\Daniel\restorer64_a.exe" [2009-10-23 58729]
"mserv"="c:\documents and settings\Daniel\Application Data\seres.exe" [2009-10-23 44032]
"svchost"="c:\documents and settings\Daniel\Application Data\svcst.exe" [2009-10-23 44032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-16 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-30 198160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"restorer64_a"="c:\windows\system32\restorer64_a.exe" [2009-10-23 58729]
"sysgif32"="c:\windows\Temp\wpv621255703227.exe" [2009-10-23 21504]
"82774836"="c:\docume~1\ALLUSE~1\APPLIC~1\82774836\82774836.exe" [2009-10-23 1050665]
"PromoReg"="c:\windows\Temp\_ex-08.exe" [2009-10-23 410112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

c:\documents and settings\Daniel\Start Menu\Programs\Startup\
zavupd32.exe [2004-8-3 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe rundll32.exe cpcp.cpo bef0regiiav"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli Agryui31.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^DesktopVideoPlayer.LNK]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\DesktopVideoPlayer.LNK
backup=c:\windows\pss\DesktopVideoPlayer.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"rpcapd"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Documents and Settings\\Daniel\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Daniel\\My Documents\\Downloads\\YuLeech-RunesofMagic2_0_1_1821-en.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\day of defeat\\hl.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\smashball\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\age of chivalry\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Railroad Tycoon 3\\RT3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\swkotor\\swkotor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [1/30/2009 7:14 PM 125304]
S2 gupdate1c9c6635fea52a;Google Update Service (gupdate1c9c6635fea52a);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2009 4:34 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 11:34]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 11:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: cinemanow.com
Trusted Zone: microsoft.com
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Daniel\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - hȋdden: XULRunner: {07775275-401E-4BC4-8833-D4BDF5C09385} - c:\documents and settings\Daniel\Local Settings\Application Data\{07775275-401E-4BC4-8833-D4BDF5C09385}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-14812218 - c:\docume~1\ALLUSE~1\APPLIC~1\14812218\14812218.exe
HKLM-Run-22856831 - c:\docume~1\ALLUSE~1\APPLIC~1\22856831\22856831.exe
HKLM-Run-Regedit32 - c:\windows\system32\regedit.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-22 20:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tdlserv]
"imagepath"="\??\c:\windows\TEMP\218.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-507921405-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:84,17,10,a6,1a,91,59,de,05,47,ad,f5,09,7c,bc,e9,85,39,77,8f,44,8f,a0,
2b,9a,90,1b,83,b5,2d,46,f7,c8,38,a7,be,bb,a0,d1,8a,71,03,12,c6,b7,1d,c0,43,\
"??"=hex:9a,c3,59,50,72,6a,1a,2f,b3,4d,bb,af,4d,6f,c4,86

[HKEY_USERS\S-1-5-21-1060284298-507921405-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:f3,b4,a5,20,23,1b,8a,66,38,a5,dc,a4,c1,ef,b4,c9,39,71,2c,e5,81,
83,27,db,5f,2e,62,6c,6a,48,04,c9,6b,72,ba,69,ea,2e,3a,0f,5e,49,fd,4f,ef,5e,\
"rkeysecu"=hex:ea,13,f9,d7,77,1f,03,70,cc,fd,10,91,ca,1b,a5,43

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(944)
c:\windows\Agryui31.dll

- - - - - - - > 'Explorer.exe'(3864)
c:\windows\system32\msi.dll
c:\windows\Agryui31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\commy\CF28642.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\RUNDLL32.EXE
c:\commy\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 21:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 04:06
ComboFix2.txt 2009-10-22 19:34
ComboFix3.txt 2009-10-18 23:37
ComboFix4.txt 2009-08-19 21:05

Pre-Run: 80,057,335,808 bytes free
Post-Run: 80,215,265,280 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 38C72D9C81D1AC8AE2FE1C9882EAE8C2

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Dr Jay on Fri Oct 23, 2009 5:05 am

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\documents and settings\Daniel\restorer64_a.exe
    c:\windows\system32\restorer64_a.exe
    c:\windows\system32\aniny.com
    c:\windows\Hjigijevula.dat
    c:\windows\Ptale.bin
    c:\windows\ihuqipofu.com
    c:\windows\rundll22.exe
    c:\documents and settings\Daniel\Application Data\lizkavd.exe
    c:\documents and settings\Daniel\Application Data\svcst.exe
    c:\documents and settings\Daniel\Application Data\seres.exe
    c:\documents and settings\Daniel\Local Settings\Application Data\avysocaru.dat
    c:\documents and settings\Daniel\Local Settings\Application Data\ojajacuhy.exe
    c:\documents and settings\Daniel\Application Data\yromezepa.sys
    c:\documents and settings\Daniel\Application Data\xohubi.bin
    c:\documents and settings\All Users\Application Data\jevewyf.pif
    c:\program files\Common Files\sytohuv.pif
    c:\documents and settings\Daniel\Application Data\xygimybi.pif
    c:\documents and settings\All Users\Application Data\xaqomuzen.pif
    c:\windows\iducy.pif
    c:\program files\Common Files\evyh.com
    c:\documents and settings\Daniel\Local Settings\Application Data\ucec.pif
    c:\program files\Common Files\ucynyfoq.dat
    c:\documents and settings\Daniel\Local Settings\Application Data\vufuwos.dll
    c:\windows\Temp\wpv621255703227.exe
    c:\docume~1\ALLUSE~1\APPLIC~1\82774836\82774836.exe
    c:\windows\Agryui31.dll

    Folder::
    c:\program files\phdgaq

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "restorer64_a"=-
    "mserv"=-
    "svchost"=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "sysgif32"=-
    "82774836"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.


==

Please make sure the ComboFix and SpiderKill logs are posted in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302069
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Fri Oct 23, 2009 6:45 am

ComboFix 09-10-21.02 - Daniel 10/22/2009 23:25.18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1500 [GMT -7:00]
Running from: c:\documents and settings\Daniel\Desktop\commy.exe
Command switches used :: c:\documents and settings\Daniel\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\docume~1\ALLUSE~1\APPLIC~1\82774836\82774836.exe"
"c:\documents and settings\All Users\Application Data\jevewyf.pif"
"c:\documents and settings\All Users\Application Data\xaqomuzen.pif"
"c:\documents and settings\Daniel\Application Data\lizkavd.exe"
"c:\documents and settings\Daniel\Application Data\seres.exe"
"c:\documents and settings\Daniel\Application Data\svcst.exe"
"c:\documents and settings\Daniel\Application Data\xohubi.bin"
"c:\documents and settings\Daniel\Application Data\xygimybi.pif"
"c:\documents and settings\Daniel\Application Data\yromezepa.sys"
"c:\documents and settings\Daniel\Local Settings\Application Data\avysocaru.dat"
"c:\documents and settings\Daniel\Local Settings\Application Data\ojajacuhy.exe"
"c:\documents and settings\Daniel\Local Settings\Application Data\ucec.pif"
"c:\documents and settings\Daniel\Local Settings\Application Data\vufuwos.dll"
"c:\documents and settings\Daniel\restorer64_a.exe"
"c:\program files\Common Files\evyh.com"
"c:\program files\Common Files\sytohuv.pif"
"c:\program files\Common Files\ucynyfoq.dat"
"c:\windows\Agryui31.dll"
"c:\windows\Hjigijevula.dat"
"c:\windows\iducy.pif"
"c:\windows\ihuqipofu.com"
"c:\windows\Ptale.bin"
"c:\windows\rundll22.exe"
"c:\windows\system32\aniny.com"
"c:\windows\system32\restorer64_a.exe"
"c:\windows\Temp\wpv621255703227.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\02709422
c:\documents and settings\All Users\Application Data\02709422\02709422.exe
c:\documents and settings\All Users\Application Data\aramija.lib
c:\documents and settings\All Users\Application Data\avyrevuzyc.inf
c:\documents and settings\All Users\Application Data\equfuz.com
c:\documents and settings\All Users\Documents\arucejatyk.reg
c:\documents and settings\All Users\Documents\ocequmuf.bat
c:\documents and settings\All Users\Documents\podywidox.com
c:\documents and settings\All Users\Documents\xydaba.com
c:\documents and settings\Daniel\Application Data\lizkavd.exe
c:\documents and settings\Daniel\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Daniel\Application Data\seres.exe
c:\documents and settings\Daniel\Application Data\svcst.exe
c:\documents and settings\Daniel\Application Data\wapisu.pif
c:\documents and settings\Daniel\Application Data\wiaserva.log
c:\documents and settings\Daniel\Cookies\azomolyfyh.com
c:\documents and settings\Daniel\Cookies\urabese.bat
c:\documents and settings\Daniel\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Daniel\Desktop\Security Tool.lnk
c:\documents and settings\Daniel\Local Settings\Application Data\exawuxahyh.exe
c:\documents and settings\Daniel\Local Settings\Application Data\sekati.scr
c:\documents and settings\Daniel\Local Settings\Temporary Internet Files\okopu.vbs
c:\documents and settings\Daniel\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Daniel\restorer64_a.exe
c:\documents and settings\Daniel\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Daniel\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Daniel\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Daniel\Start Menu\Programs\Security Tool.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\ecoxo.bat
c:\program files\Common Files\kyxe.vbs
c:\program files\Common Files\nijynuf.com
c:\windows\Agryui31.dll
c:\windows\capebe.scr
c:\windows\denykagypy._sy
c:\windows\finil.bin
c:\windows\qudoc.inf
c:\windows\rundll22.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\dyxuquvevi.dll
c:\windows\system32\restorer64_a.exe

Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\agp440.sys

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 06:33 . 2009-10-23 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\50744828
2009-10-23 05:59 . 2009-10-23 05:59 18739 ----a-w- c:\program files\Common Files\ofufuca.dat
2009-10-23 05:12 . 2009-10-23 05:12 -------- d-----w- C:\$AVG
2009-10-23 05:10 . 2009-10-23 05:10 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-23 05:10 . 2009-10-23 05:10 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-23 05:09 . 2009-10-23 05:10 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-23 05:09 . 2009-10-23 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-23 05:09 . 2009-10-23 05:09 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-23 05:09 . 2009-10-23 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-23 03:12 . 2009-10-23 03:12 -------- d-----w- c:\documents and settings\Daniel\Application Data\AVG8
2009-10-22 03:49 . 2009-10-22 04:16 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-10-21 14:32 . 2009-10-21 14:34 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\ApplicationHistory
2009-10-21 01:50 . 2009-10-21 01:50 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\{07775275-401E-4BC4-8833-D4BDF5C09385}
2009-10-20 04:11 . 2009-08-04 14:00 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-20 04:11 . 2009-08-04 13:58 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-20 04:11 . 2009-08-04 13:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-20 04:11 . 2009-08-04 13:13 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-10-19 19:42 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-19 13:20 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-19 02:11 . 2009-10-19 02:15 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\AIM
2009-10-19 02:11 . 2009-10-19 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-19 02:11 . 2009-10-19 02:11 -------- d-----w- c:\program files\AIM
2009-10-19 01:27 . 2001-08-18 05:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-10-19 01:26 . 2004-08-04 00:56 400384 -c--a-w- c:\windows\system32\dllcache\fxsxp32.dll
2009-10-19 01:24 . 2001-08-23 14:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-10-19 00:06 . 2001-08-23 14:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-10-19 00:06 . 2001-08-23 14:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-10-19 00:06 . 2001-08-23 14:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-10-19 00:06 . 2001-08-23 14:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-10-18 22:40 . 2009-10-18 22:40 -------- d-----w- c:\program files\CCleaner
2009-10-18 21:55 . 2009-10-18 21:55 -------- d-----w- C:\_OTM
2009-10-17 02:57 . 2009-10-18 17:54 1580 ----a-w- c:\documents and settings\Daniel\FilterData.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 05:09 . 2008-06-01 21:45 -------- d-----w- c:\program files\AVG
2009-10-23 05:04 . 2008-06-01 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-23 04:58 . 2007-12-21 19:12 -------- d-----w- c:\program files\Steam
2009-10-23 04:57 . 2007-12-18 07:00 81064 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 04:54 . 2008-11-07 08:58 -------- d-----w- c:\documents and settings\Daniel\Application Data\Move Networks
2009-10-23 03:34 . 2008-01-13 05:10 -------- d-----w- c:\program files\Warcraft III
2009-10-22 06:38 . 2009-10-22 06:38 10032 ----a-w- c:\program files\Common Files\eheh.db
2009-10-19 01:23 . 2007-12-18 06:52 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-19 00:14 . 2008-01-13 23:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-19 00:13 . 2008-10-01 05:28 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-18 01:07 . 2009-07-18 06:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-17 14:12 . 2008-12-02 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-17 14:11 . 2008-12-02 02:10 -------- d-----w- c:\program files\Microsoft Works
2009-10-02 03:42 . 2008-01-13 03:06 -------- d-----w- c:\program files\iTunes
2009-09-28 06:58 . 2009-03-13 04:57 7 ----a-w- c:\windows\sbacknt.bin
2009-09-25 05:56 . 2004-08-04 00:56 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-20 00:04 . 2009-09-19 05:17 -------- d-----w- c:\documents and settings\Daniel\Application Data\GetRightToGo
2009-09-20 00:04 . 2009-09-20 00:03 -------- d-----w- c:\program files\NCSoft
2009-09-20 00:03 . 2007-12-18 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-19 23:55 . 2009-09-19 23:55 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-12 17:27 . 2009-07-07 00:35 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-12 17:20 . 2009-07-07 00:35 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-11 14:33 . 2004-08-04 00:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-07-18 06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-07-18 06:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2004-08-04 00:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\Common Files\Real
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\Real
2009-08-30 09:15 . 2007-12-18 07:43 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-30 09:15 . 2007-12-18 07:43 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-30 09:08 . 2009-08-30 09:08 -------- d-----w- c:\documents and settings\Daniel\Application Data\FFSJ
2009-08-26 08:16 . 2004-08-04 00:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 02:34 . 2008-01-13 05:12 79373 ----a-w- c:\windows\War3Unin.dat
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 02:24 . 2007-12-18 06:53 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2007-12-18 06:53 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2007-12-18 06:53 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2007-12-18 06:53 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-04 00:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2007-12-18 06:53 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-12-20 03:22 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-12-20 03:22 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2007-12-18 06:53 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-04 00:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:58 . 2004-08-03 23:18 2136064 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2015744 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 04:53 . 2004-08-04 00:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2001-08-23 14:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-02-07 02:14 . 2009-02-07 02:14 3143 ----a-w- c:\program files\images.jpeg
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-10-22_19.22.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 03:54 . 2009-07-12 03:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 03:32 . 2009-07-12 03:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 08:07 . 2009-07-12 08:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 08:19 . 2009-07-12 08:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-10-23 06:32 . 2009-10-23 06:32 21504 c:\windows\temp\wpv871255703227.exe
+ 2009-10-23 06:32 . 2009-10-23 06:32 48640 c:\windows\temp\wpv301255594149.exe
+ 2009-10-23 06:32 . 2009-10-23 06:32 58729 c:\windows\temp\wpv251256085323.exe
+ 2009-10-23 06:32 . 2009-10-23 06:32 27648 c:\windows\temp\wpv121255562528.exe
+ 2009-07-12 08:12 . 2009-07-12 08:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 08:09 . 2009-07-12 08:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 08:08 . 2009-07-12 08:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2009-10-23 06:33 . 2009-10-23 06:33 419328 c:\windows\temp\_ex-08.exe
+ 2007-12-17 21:20 . 2009-10-23 05:11 292480 c:\windows\system32\FNTCACHE.DAT
+ 2009-10-23 03:31 . 2009-10-23 03:31 424448 c:\windows\Installer\1a104de.msi
+ 2009-07-12 03:46 . 2009-07-12 03:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 03:46 . 2009-07-12 03:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"NCsoft Launcher"="c:\program files\ncsoft\launcher\NCLauncher.exe" [2009-10-16 38184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-16 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-30 198160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-23 2010904]
"sysgif32"="c:\windows\Temp\wpv871255703227.exe" [2009-10-23 21504]
"50744828"="c:\docume~1\ALLUSE~1\APPLIC~1\50744828\50744828.exe" [2009-10-23 1051177]
"PromoReg"="c:\windows\Temp\_ex-08.exe" [2009-10-23 419328]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

c:\documents and settings\Daniel\Start Menu\Programs\Startup\
zavupd32.exe [2004-8-3 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe rundll32.exe cpcp.cpo bef0regiiav"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli Agryui31.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^DesktopVideoPlayer.LNK]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\DesktopVideoPlayer.LNK
backup=c:\windows\pss\DesktopVideoPlayer.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"rpcapd"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Daniel\\My Documents\\Downloads\\YuLeech-RunesofMagic2_0_1_1821-en.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\day of defeat\\hl.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\smashball\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\buttche3k007\\age of chivalry\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\azndumpling1086@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Railroad Tycoon 3\\RT3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\swkotor\\swkotor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\temp\\_ex-08.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/22/2009 10:10 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/22/2009 10:09 PM 360584]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/22/2009 10:09 PM 285392]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [1/30/2009 7:14 PM 125304]
S2 gupdate1c9c6635fea52a;Google Update Service (gupdate1c9c6635fea52a);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2009 4:34 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 11:34]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 11:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: cinemanow.com
Trusted Zone: microsoft.com
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\3wr807un.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - hȋdden: XULRunner: {07775275-401E-4BC4-8833-D4BDF5C09385} - c:\documents and settings\Daniel\Local Settings\Application Data\{07775275-401E-4BC4-8833-D4BDF5C09385}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ttool - c:\windows\rundll22.exe
HKLM-Run-restorer64_a - c:\windows\system32\restorer64_a.exe
HKLM-Run-02709422 - c:\docume~1\ALLUSE~1\APPLIC~1\02709422\02709422.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-22 23:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


c:\windows\Agryui31.dll

scan completed successfully
hȋdden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tdlserv]
"imagepath"="\??\c:\windows\TEMP\218.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-507921405-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:84,17,10,a6,1a,91,59,de,05,47,ad,f5,09,7c,bc,e9,85,39,77,8f,44,8f,a0,
2b,9a,90,1b,83,b5,2d,46,f7,c8,38,a7,be,bb,a0,d1,8a,71,03,12,c6,b7,1d,c0,43,\
"??"=hex:9a,c3,59,50,72,6a,1a,2f,b3,4d,bb,af,4d,6f,c4,86

[HKEY_USERS\S-1-5-21-1060284298-507921405-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:f3,b4,a5,20,23,1b,8a,66,38,a5,dc,a4,c1,ef,b4,c9,39,71,2c,e5,81,
83,27,db,5f,2e,62,6c,6a,48,04,c9,6b,72,ba,69,ea,2e,3a,0f,5e,49,fd,4f,ef,5e,\
"rkeysecu"=hex:ea,13,f9,d7,77,1f,03,70,cc,fd,10,91,ca,1b,a5,43

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3960)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\commy\CF4306.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\Temp\wpv121255562528.exe
c:\windows\system32\rundll32.exe
c:\commy\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 23:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 06:42
ComboFix2.txt 2009-10-23 06:07
ComboFix3.txt 2009-10-23 04:06
ComboFix4.txt 2009-10-22 19:34
ComboFix5.txt 2009-10-23 06:24

Pre-Run: 78,015,209,472 bytes free
Post-Run: 77,972,267,008 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - B9BEC0298472275C28A58E9EFB0DA07D

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Fri Oct 23, 2009 6:45 am

SpiderKill by DragonMaster Jay ( Oct 2009 )


Microsoft Windows XP [Version 5.1.2600]

********************Drivers list********************


Volume in drive C has no label.
Volume Serial Number is 3CBF-962C

Directory of C:\Windows\System32\Drivers

10/22/2009 11:42 PM .
10/22/2009 11:42 PM ..
08/03/2004 04:07 PM 187,776 acpi.sys
08/23/2001 07:00 AM 11,648 acpiec.sys
08/04/2004 12:56 AM 4,255 adv01nt5.dll
08/04/2004 12:56 AM 3,967 adv02nt5.dll
08/04/2004 12:56 AM 3,615 adv05nt5.dll
08/04/2004 12:56 AM 3,647 adv07nt5.dll
08/04/2004 12:56 AM 3,135 adv08nt5.dll
08/04/2004 12:56 AM 3,711 adv09nt5.dll
08/04/2004 12:56 AM 3,775 adv11nt5.dll
08/03/2004 06:05 PM 142,464 aec.sys
08/14/2008 02:51 AM 138,368 afd.sys
08/03/2004 11:07 PM 42,368 AGP440.sys
08/03/2004 11:07 PM 44,928 agpcpq.sys
08/03/2004 11:07 PM 42,752 alim1541.sys
08/03/2004 11:07 PM 43,008 amdagp.sys
08/03/2004 06:05 PM 36,992 amdk6.sys
08/03/2004 06:05 PM 37,376 amdk7.sys
08/03/2004 06:05 PM 60,800 arp1394.sys
08/03/2004 04:05 PM 14,336 asyncmac.sys
08/03/2004 03:59 PM 95,360 atapi.sys
08/03/2004 10:29 PM 56,623 ati1btxx.sys
08/03/2004 10:29 PM 11,615 ati1mdxx.sys
08/03/2004 10:29 PM 12,047 ati1pdxx.sys
08/03/2004 10:29 PM 30,671 ati1raxx.sys
08/03/2004 10:29 PM 63,663 ati1rvxx.sys
08/03/2004 10:29 PM 26,367 ati1snxx.sys
08/03/2004 10:29 PM 21,343 ati1ttxx.sys
08/03/2004 10:29 PM 36,463 ati1tuxx.sys
08/03/2004 10:29 PM 29,455 ati1xbxx.sys
08/03/2004 10:29 PM 34,735 ati1xsxx.sys
08/03/2004 10:29 PM 327,040 ati2mtaa.sys
08/03/2004 10:29 PM 701,440 ati2mtag.sys
08/03/2004 10:29 PM 57,856 atinbtxx.sys
08/03/2004 10:29 PM 13,824 atinmdxx.sys
08/03/2004 10:29 PM 14,336 atinpdxx.sys
08/03/2004 10:29 PM 52,224 atinraxx.sys
08/03/2004 10:29 PM 104,960 atinrvxx.sys
08/03/2004 10:29 PM 28,672 atinsnxx.sys
08/03/2004 10:29 PM 13,824 atinttxx.sys
08/03/2004 10:29 PM 73,216 atintuxx.sys
08/03/2004 10:29 PM 31,744 atinxbxx.sys
08/03/2004 10:29 PM 63,488 atinxsxx.sys
07/17/2004 11:36 AM 64,352 ativmc20.cod
08/03/2004 03:58 PM 59,904 atmarpc.sys
08/23/2001 07:00 AM 31,360 atmepvc.sys
08/03/2004 03:58 PM 55,936 atmlane.sys
08/23/2001 07:00 AM 352,256 atmuni.sys
08/04/2004 12:56 AM 21,183 atv01nt5.dll
08/04/2004 12:56 AM 11,359 atv02nt5.dll
08/04/2004 12:56 AM 25,471 atv04nt5.dll
08/04/2004 12:56 AM 14,143 atv06nt5.dll
08/04/2004 12:56 AM 17,279 atv10nt5.dll
08/17/2001 06:59 AM 3,072 audstub.sys
10/22/2009 10:10 PM Avg
10/22/2009 10:10 PM 333,192 avgldx86.sys
10/22/2009 10:10 PM 28,424 avgmfx86.sys
10/22/2009 10:09 PM 360,584 avgtdix.sys
08/23/2001 07:00 AM 4,224 beep.sys
08/03/2004 03:59 PM 71,552 bridge.sys
08/03/2004 04:10 PM 17,024 bthenum.sys
08/03/2004 04:10 PM 38,016 bthmodem.sys
08/03/2004 03:58 PM 100,992 bthpan.sys
06/13/2008 06:10 AM 272,128 bthport.sys
08/03/2004 04:10 PM 35,456 bthprint.sys
08/03/2004 04:10 PM 18,944 bthusb.sys
08/23/2001 07:00 AM 13,952 cbidf2k.sys
08/03/2004 11:10 PM 17,024 ccdecode.sys
08/23/2001 07:00 AM 18,688 cdaudio.sys
08/03/2004 04:14 PM 63,744 cdfs.sys
11/21/2008 02:47 PM 9,336 cdr4_xp.sys
11/21/2008 02:47 PM 9,464 cdralw2k.sys
08/03/2004 03:59 PM 49,536 cdrom.sys
08/04/2004 12:56 AM 15,423 ch7xxnt5.dll
08/23/2001 07:00 AM 262,528 cinemst2.sys
08/03/2004 04:14 PM 49,664 classpnp.sys
08/23/2001 07:00 AM 11,776 cpqdap01.sys
08/03/2004 06:05 PM 36,480 crusoe.sys
07/17/2004 10:55 PM 129,045 cxthsfs2.cty
12/17/2007 02:14 PM disdn
08/03/2004 03:59 PM 36,352 disk.sys
08/03/2004 03:59 PM 14,208 diskdump.sys
08/03/2004 04:07 PM 799,744 dmboot.sys
08/03/2004 04:07 PM 153,344 dmio.sys
08/23/2001 07:00 AM 5,888 dmload.sys
08/03/2004 11:07 PM 52,864 DMusic.sys
08/03/2004 06:05 PM 60,288 drmk.sys
08/03/2004 06:05 PM 2,944 drmkaud.sys
08/23/2001 07:00 AM 10,496 dxapi.sys
08/03/2004 04:00 PM 71,040 dxg.sys
08/23/2001 07:00 AM 3,328 dxgthk.sys
10/22/2009 11:32 PM etc
08/03/2004 04:14 PM 143,360 fastfat.sys
08/03/2004 03:59 PM 27,392 fdc.sys
08/23/2001 07:00 AM 34,944 fips.sys
08/03/2004 03:59 PM 20,480 flpydisk.sys
08/03/2004 04:01 PM 124,800 fltMgr.sys
08/23/2001 07:00 AM 12,160 fsvga.sys
08/23/2001 07:00 AM 7,936 fs_rec.sys
08/23/2001 07:00 AM 125,056 ftdisk.sys
08/03/2004 11:07 PM 46,464 gagp30kx.sys
09/19/2006 03:44 PM 15,664 GEARAspiWDM.sys
08/23/2001 07:00 AM 3,440,660 gm.dls
08/23/2001 07:00 AM 646 gmreadme.txt
04/13/2008 09:36 AM 144,384 hdaudbus.sys
01/07/2005 06:07 PM 145,920 Hdaudio.sys
08/03/2004 04:10 PM 25,600 hidbth.sys
08/03/2004 04:08 PM 36,224 hidclass.sys
08/03/2004 11:08 PM 15,104 hidir.sys
08/03/2004 04:08 PM 24,960 hidparse.sys
08/23/2001 07:00 AM 9,600 hidusb.sys
08/03/2004 10:41 PM 220,032 hsfbs2s2.sys
08/03/2004 10:41 PM 685,056 hsfcxts2.sys
08/03/2004 10:41 PM 1,041,536 hsfdpsp2.sys
08/03/2004 04:00 PM 263,040 http.sys
08/03/2004 04:14 PM 52,736 i8042prt.sys
03/20/2007 10:19 AM 11,568 imagedrv.sys
03/20/2007 10:19 AM 133,168 imagesrv.sys
08/03/2004 04:00 PM 41,856 imapi.sys
08/03/2004 03:59 PM 36,096 intelppm.sys
08/03/2004 04:00 PM 29,056 ip6fw.sys
08/23/2001 07:00 AM 32,896 ipfltdrv.sys
08/03/2004 04:04 PM 20,992 ipinip.sys
08/03/2004 04:04 PM 134,912 ipnat.sys
08/03/2004 04:14 PM 74,752 ipsec.sys
08/03/2004 11:08 PM 40,832 irbus.sys
08/03/2004 04:00 PM 11,264 irenum.sys
08/23/2001 07:00 AM 35,840 isapnp.sys
08/03/2004 03:58 PM 24,576 kbdclass.sys
08/03/2004 06:05 PM 171,776 kmixer.sys
08/03/2004 06:05 PM 140,928 ks.sys
06/22/2009 04:34 AM 92,544 ksecdd.sys
09/10/2009 02:53 PM 19,160 mbam.sys
09/10/2009 02:54 PM 38,224 mbamswissarmy.sys
08/23/2001 07:00 AM 7,680 mcd.sys
08/03/2004 10:41 PM 11,868 mdmxsdk.sys
08/03/2004 06:05 PM 63,744 mf.sys
08/23/2001 07:00 AM 4,224 mnmdd.sys
08/03/2004 06:05 PM 30,080 modem.sys
08/03/2004 06:05 PM 23,040 mouclass.sys
08/23/2001 07:00 AM 12,160 mouhid.sys
08/03/2004 03:58 PM 42,240 mountmgr.sys
06/22/2009 04:48 AM 91,776 mqac.sys
08/03/2004 04:00 PM 181,248 mrxdav.sys
10/24/2008 04:10 AM 453,632 mrxsmb.sys
08/03/2004 04:00 PM 19,072 msfs.sys
08/03/2004 04:04 PM 35,072 msgpc.sys
08/03/2004 06:05 PM 7,552 mskssrv.sys
08/03/2004 06:05 PM 5,376 mspclock.sys
08/03/2004 06:05 PM 4,992 mspqm.sys
08/03/2004 06:05 PM 15,488 mssmbios.sys
08/03/2004 10:58 PM 5,504 mstee.sys
08/03/2004 10:41 PM 126,686 mtlmnt5.sys
08/03/2004 10:41 PM 1,309,184 mtlstrm.sys
08/03/2004 10:29 PM 452,736 mtxparhm.sys
08/03/2004 04:15 PM 107,904 mup.sys
08/03/2004 11:04 PM 12,672 mutohpen.sys
08/03/2004 11:10 PM 85,376 nabtsfec.sys
08/03/2004 04:14 PM 182,912 ndis.sys
08/03/2004 06:05 PM 10,880 ndisip.sys
08/23/2001 07:00 AM 9,600 ndistapi.sys
08/03/2004 06:05 PM 12,928 ndisuio.sys
08/03/2004 04:14 PM 91,776 ndiswan.sys
08/23/2001 07:00 AM 38,016 ndproxy.sys
08/03/2004 04:03 PM 34,560 netbios.sys
08/03/2004 04:14 PM 162,816 netbt.sys
07/17/2004 11:35 AM 67,866 netwlan5.img
08/03/2004 06:05 PM 61,824 nic1394.sys
08/23/2001 07:00 AM 12,032 nikedrv.sys
08/03/2004 03:59 PM 40,320 nmnt.sys
08/03/2004 04:00 PM 30,848 npfs.sys
08/03/2004 04:15 PM 574,592 ntfs.sys
08/03/2004 10:41 PM 180,360 ntmtlfax.sys
08/23/2001 07:00 AM 2,944 null.sys
06/10/2009 06:03 AM 8,087,712 nv4_mini.sys
08/23/2001 07:00 AM 12,416 nwlnkflt.sys
08/23/2001 07:00 AM 32,512 nwlnkfwd.sys
08/03/2004 04:03 PM 88,448 nwlnkipx.sys
08/23/2001 07:00 AM 63,232 nwlnknb.sys
08/23/2001 07:00 AM 55,936 nwlnkspx.sys
08/03/2004 04:02 PM 163,584 nwrdr.sys
08/23/2001 07:00 AM 3,456 oprghdlr.sys
08/03/2004 06:05 PM 42,496 p3.sys
08/03/2004 06:05 PM 80,128 parport.sys
08/23/2001 07:00 AM 18,688 partmgr.sys
08/23/2001 07:00 AM 6,784 parvdm.sys
08/03/2004 04:07 PM 68,224 pci.sys
08/23/2001 07:00 AM 3,328 pciide.sys
08/03/2004 03:59 PM 25,088 pciidex.sys
08/03/2004 04:07 PM 119,936 pcmcia.sys
09/12/2009 10:20 AM 137,544 PnkBstrK.sys
08/03/2004 06:05 PM 145,792 portcls.sys
08/03/2004 06:05 PM 35,328 processr.sys
08/03/2004 04:04 PM 69,120 psched.sys
08/23/2001 07:00 AM 17,792 ptilink.sys
11/21/2008 02:47 PM 43,528 PxHelp20.sys
08/23/2001 07:00 AM 8,832 rasacd.sys
08/03/2004 04:14 PM 51,328 rasl2tp.sys
08/03/2004 04:05 PM 41,472 raspppoe.sys
08/03/2004 04:14 PM 48,384 raspptp.sys
08/23/2001 07:00 AM 16,512 raspti.sys
08/23/2001 07:00 AM 34,432 rawwan.sys
08/03/2004 04:20 PM 176,512 rdbss.sys
08/23/2001 07:00 AM 4,224 rdpcdd.sys
08/03/2004 11:01 PM 196,864 rdpdr.sys
08/03/2004 06:01 PM 139,400 rdpwd.sys
08/03/2004 10:41 PM 13,776 recagent.sys
08/03/2004 10:59 PM 57,472 redbook.sys
08/03/2004 04:10 PM 59,648 rfcomm.sys
08/23/2001 07:00 AM 12,032 rio8drv.sys
08/23/2001 07:00 AM 12,032 riodrv.sys
05/08/2008 05:28 AM 202,752 rmcast.sys
08/03/2004 04:04 PM 30,080 rndismp.sys
08/03/2004 11:04 PM 30,080 rndismpx.sys
08/23/2001 07:00 AM 5,888 rootmdm.sys
03/01/2007 01:05 AM 90,496 Rtenicxp.sys
04/23/2007 03:12 AM 4,402,176 RtkHDAud.sys
08/03/2004 10:29 PM 166,912 s3gnbm.sys
11/02/2008 01:44 AM 56,572 scdemu.sys
08/03/2004 03:59 PM 96,256 scsiport.sys
08/03/2004 04:07 PM 67,584 sdbus.sys
07/17/2004 04:36 AM 27,440 secdrv.sys
08/03/2004 03:59 PM 15,488 serenum.sys
08/03/2004 04:15 PM 64,896 serial.sys
08/03/2004 03:59 PM 11,136 sffdisk.sys
04/13/2008 11:40 AM 10,240 sffp_mmc.sys
08/03/2004 03:59 PM 10,240 sffp_sd.sys
08/03/2004 03:59 PM 11,392 sfloppy.sys
08/04/2004 12:56 AM 3,901 siint5.dll
08/03/2004 11:07 PM 41,088 sisagp.sys
08/03/2004 04:10 PM 11,136 slip.sys
08/03/2004 10:41 PM 129,535 slnt7554.sys
08/03/2004 10:41 PM 404,990 slntamr.sys
08/03/2004 10:41 PM 95,424 slnthal.sys
08/03/2004 10:41 PM 13,240 slwdmsup.sys
08/03/2004 06:05 PM 6,016 smbali.sys
08/23/2001 07:00 AM 14,592 smclib.sys
08/03/2004 06:05 PM 25,472 sonydcam.sys
08/03/2004 11:07 PM 6,400 splitter.sys
03/12/2009 07:42 PM 717,296 sptd.sys
08/03/2004 04:06 PM 73,472 sr.sys
12/11/2008 04:57 AM 333,184 srv.sys
08/03/2004 06:05 PM 48,640 stream.sys
08/03/2004 04:10 PM 15,360 streamip.sys
08/03/2004 06:05 PM 4,352 swenum.sys
08/23/2001 07:00 AM 54,272 swmidi.sys
08/03/2004 06:05 PM 60,800 sysaudio.sys
08/03/2004 04:00 PM 14,976 tape.sys
06/20/2008 03:45 AM 360,320 tcpip.sys
06/20/2008 02:52 AM 225,920 tcpip6.sys
08/03/2004 04:07 PM 18,560 tdi.sys
08/03/2004 06:01 PM 12,040 tdpipe.sys
08/03/2004 06:01 PM 21,896 tdtcp.sys
08/04/2004 01:01 AM 40,840 termdd.sys
08/23/2001 07:00 AM 51,712 tosdvd.sys
08/23/2001 07:00 AM 21,376 tsbvcap.sys
08/03/2004 06:05 PM 12,416 tunmp.sys
08/03/2004 11:07 PM 44,672 uagp35.sys
08/03/2004 04:00 PM 66,176 udfs.sys
06/07/2008 09:39 PM UMDF
08/03/2004 03:58 PM 209,408 update.sys
08/03/2004 04:04 PM 12,672 usb8023.sys
08/03/2004 11:04 PM 12,672 usb8023x.sys
08/23/2001 07:00 AM 23,808 usbcamd.sys
08/23/2001 07:00 AM 23,936 usbcamd2.sys
08/03/2004 04:08 PM 31,616 usbccgp.sys
08/23/2001 07:00 AM 4,736 usbd.sys
08/03/2004 04:08 PM 26,624 usbehci.sys
08/03/2004 04:08 PM 57,600 usbhub.sys
08/03/2004 06:05 PM 16,000 usbintel.sys
08/03/2004 04:08 PM 142,976 usbport.sys
08/03/2004 11:01 PM 25,856 usbprint.sys
08/03/2004 10:58 PM 15,104 usbscan.sys
08/03/2004 04:08 PM 26,496 usbstor.sys
08/03/2004 04:08 PM 20,480 usbuhci.sys
08/03/2004 11:10 PM 78,464 usbvideo.sys
08/04/2004 12:56 AM 11,325 vchnt5.dll
08/23/2001 07:00 AM 58,112 vdmindvd.sys
08/03/2004 04:07 PM 20,992 vga.sys
08/03/2004 11:07 PM 42,240 viaagp.sys
08/03/2004 04:07 PM 79,744 videoprt.sys
08/03/2004 04:00 PM 52,352 volsnap.sys
08/03/2004 11:04 PM 13,568 wacompen.sys
08/03/2004 10:29 PM 11,807 wadv07nt.sys
08/03/2004 10:29 PM 11,295 wadv08nt.sys
08/03/2004 10:29 PM 11,871 wadv09nt.sys
08/03/2004 10:29 PM 11,935 wadv11nt.sys
08/03/2004 04:04 PM 34,560 wanarp.sys
08/03/2004 10:29 PM 22,271 watv06nt.sys
08/03/2004 10:29 PM 25,471 watv10nt.sys
08/03/2004 06:05 PM 82,944 wdmaud.sys
08/23/2001 07:00 AM 4,352 wmilib.sys
08/11/2004 02:45 AM 18,944 wpdusb.sys
08/23/2001 07:00 AM 12,032 ws2ifsl.sys
08/03/2004 11:10 PM 19,328 wstcodec.sys
09/28/2006 06:55 PM 77,568 WudfPf.sys
09/28/2006 07:00 PM 82,944 WudfRd.sys
09/01/2004 02:00 AM 71,040 _004777_.tmp.dll
293 File(s) 38,890,505 bytes

Directory of C:\Windows\System32\Drivers\Avg

10/22/2009 10:10 PM .
10/22/2009 10:10 PM ..
10/22/2009 10:09 PM 6,061,540 avi7.avg
10/22/2009 10:10 PM 113,461 iavichjw.avm
10/22/2009 10:10 PM 43,527,784 incavi.avm
10/22/2009 10:09 PM 48,786 microavi.avg
10/22/2009 10:09 PM 492,629 miniavi.avg
5 File(s) 50,244,200 bytes

Directory of C:\Windows\System32\Drivers\disdn

12/17/2007 02:14 PM .
12/17/2007 02:14 PM ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\Drivers\etc

10/22/2009 11:32 PM .
10/22/2009 11:32 PM ..
10/22/2009 11:32 PM 27 hosts
09/01/2004 02:00 AM 734 hosts.bak
09/01/2004 02:00 AM 3,683 lmhosts.sam
09/01/2004 02:00 AM 407 networks
09/01/2004 02:00 AM 799 protocol
09/01/2004 02:00 AM 7,116 services
6 File(s) 12,766 bytes

Directory of C:\Windows\System32\Drivers\UMDF

06/07/2008 09:39 PM .
06/07/2008 09:39 PM ..
10/18/2006 09:47 PM 671,232 wpdmtpdr.dll
1 File(s) 671,232 bytes

Total Files Listed:
305 File(s) 89,818,703 bytes
14 Dir(s) 77,999,415,296 bytes free


***********************Hidden Drivers********************
Volume in drive C has no label.
Volume Serial Number is 3CBF-962C

Directory of C:\Windows\System32\Drivers



*********************Processes*******************


PROCESS PID PRIO PATH
smss.exe 816 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 872 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 896 High C:\WINDOWS\system32\winlogon.exe
services.exe 940 Normal C:\WINDOWS\system32\services.exe
lsass.exe 980 Normal C:\WINDOWS\system32\lsass.exe
nvsvc32.exe 1120 Normal C:\WINDOWS\system32\nvsvc32.exe
svchost.exe 1156 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1224 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1320 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 1440 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1484 Normal C:\WINDOWS\system32\svchost.exe
spoolsv.exe 1684 Normal C:\WINDOWS\system32\spoolsv.exe
svchost.exe 1848 Normal C:\WINDOWS\system32\svchost.exe
PhotoshopElementsFileAgent.exe 1940 Normal C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
avgwdsvc.exe 2044 Normal C:\Program Files\AVG\AVG9\avgwdsvc.exe
CinemanowSvc.exe 168 Normal C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
PnkBstrA.exe 460 Normal C:\WINDOWS\system32\PnkBstrA.exe
PnkBstrB.exe 536 Normal C:\WINDOWS\system32\PnkBstrB.exe
avgnsx.exe 1556 Normal C:\Program Files\AVG\AVG9\avgnsx.exe
svchost.exe 1816 Normal C:\WINDOWS\system32\svchost.exe
PWRISOVM.EXE 2260 Normal C:\Program Files\PowerISO\PWRISOVM.EXE
realsched.exe 2300 Normal C:\Program Files\Common Files\Real\Update_OB\realsched.exe
GrooveMonitor.exe 2308 Normal C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
RTHDCPL.EXE 2340 Normal C:\WINDOWS\RTHDCPL.EXE
RUNDLL32.EXE 2440 Normal C:\WINDOWS\system32\RUNDLL32.EXE
avgtray.exe 2456 Normal C:\PROGRA~1\AVG\AVG9\avgtray.exe
Core.exe 2488 Normal C:\Program Files\Electronic Arts\EADM\Core.exe
NCLauncher.exe 2504 Normal C:\program files\ncsoft\launcher\NCLauncher.exe
avgrsx.exe 2704 Normal C:\Program Files\AVG\AVG9\avgrsx.exe
avgchsvx.exe 2708 Normal C:\Program Files\AVG\AVG9\avgchsvx.exe
avgcsrvx.exe 2932 Normal C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe 3656 Normal C:\WINDOWS\system32\svchost.exe
wpv121255562528.exe 3732 Normal C:\WINDOWS\Temp\wpv121255562528.exe
wpv871255703227.exe 3784 Normal C:\WINDOWS\Temp\wpv871255703227.exe
rundll32.exe 3840 Normal C:\WINDOWS\system32\rundll32.exe
rundll22.exe 1056 Normal C:\WINDOWS\rundll22.exe
50744828.exe 1500 Normal C:\DOCUME~1\ALLUSE~1\APPLIC~1\50744828\50744828.exe
_ex-08.exe 2692 Normal C:\WINDOWS\Temp\_ex-08.exe
svchost.exe 3528 Normal C:\WINDOWS\system32\svchost.exe
wuauclt.exe 2624 Normal C:\WINDOWS\system32\wuauclt.exe
ctfmon.exe 1920 Normal C:\WINDOWS\system32\ctfmon.exe
Explorer.exe 3960 Normal C:\WINDOWS\Explorer.exe
notepad.exe 4028 Normal C:\WINDOWS\system32\notepad.exe
firefox.exe 4092 Normal C:\Program Files\Mozilla Firefox\firefox.exe
cmd.exe 3540 Normal C:\WINDOWS\system32\cmd.exe
processes.exe 3856 Normal C:\Documents and Settings\Daniel\Desktop\SpiderKill\processes.exe


Module information for 'Explorer.exe'(3960)
MODULE BASE SIZE PATH
Explorer.exe 1000000 1044480 C:\WINDOWS\Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.3520 (xpsp_sp2_gdr.090206-1233) NT Layer DLL
kernel32.dll 7c800000 1003520 C:\WINDOWS\system32\kernel32.dll 5.1.2600.3541 (xpsp_sp2_gdr.090321-1320) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.3520 (xpsp_sp2_gdr.090206-1233) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.3555 (xpsp_sp2_gdr.090415-1235) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.3592 (xpsp_sp2_gdr.090622-1453) Security Support Provider Interface
GDI32.dll 77f10000 294912 C:\WINDOWS\system32\GDI32.dll 5.1.2600.3466 (xpsp_sp2_gdr.081022-1254) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3627 (xpsp_sp2_gdr.090918-1238) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8478720 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.3402 (xpsp_sp2_gdr.080702-1233) Windows Shell Common Dll
ole32.dll 774e0000 1294336 C:\WINDOWS\system32\ole32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 5.1.2600.2180
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.3627 (xpsp_sp2_gdr.090918-1238) Shell Browser UI Library
SHDOCVW.dll 7e290000 1515520 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.3627 (xpsp_sp2_gdr.090918-1238) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.3624 (xpsp_sp2_gdr.090904-1413) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.3462 (xpsp_sp2_gdr.081015-1244) Net Win32 API DLL
WININET.dll 771b0000 688128 C:\WINDOWS\system32\WININET.dll 6.00.2900.3627 (xpsp_sp2_gdr.090918-1238) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 36864 C:\WINDOWS\system32\LPK.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Language Pack
USP10.dll 74d90000 438272 C:\WINDOWS\system32\USP10.dll 1.0420.2600.2180 (xpsp_sp2_rtm.040803-2158) Uniscribe Unicode script processor
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 618496 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
MSCTF.dll 74720000 307200 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
apphelp.dll 77b40000 139264 C:\WINDOWS\system32\apphelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Text Frame Work Service IME
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.258 2001.12.4414.258
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 2001.12.4414.258
GrooveShellExtensions.dll 661d0000 2224128 C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll 12.0.6421.1000 GrooveShellExtensions Module
GrooveUtil.DLL 68ef0000 991232 C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL 12.0.6423.1000 GrooveUtil Module
MSVCR80.dll 78130000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft® C Runtime Library
GrooveNew.DLL 68ff0000 28672 C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL 12.0.6413.1000 GrooveNew Module
ATL80.DLL 7c630000 110592 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL 8.00.50727.4053 ATL Module for Windows (Unicode)
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
MSImg32.dll 76380000 20480 C:\WINDOWS\system32\MSImg32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\system32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
actxprxy.dll 71d40000 114688 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
GrooveSystemServices.dll 65e50000 184320 C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll 12.0.6421.1000 GrooveSystemServices Module
msxml3.dll 74980000 1130496 C:\WINDOWS\system32\msxml3.dll 8.100.1048.0 MSXML 3.0 SP10
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
GrooveMisc.dll 66b50000 1568768 C:\Program Files\Microsoft Office\Office12\GrooveMisc.dll 12.0.6421.1000 GrooveMisc Module
urlmon.dll 7e1e0000 667648 C:\WINDOWS\system32\urlmon.dll 6.00.2900.3627 (xpsp_sp2_gdr.090918-1238) OLE32 Extensions for Win32
msi.dll 1c80000 2908160 C:\WINDOWS\system32\msi.dll 3.1.4000.2435 Windows Installer
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Volume Tracking
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
webcheck.dll 74b30000 286720 C:\WINDOWS\system32\webcheck.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Web Site Monitor
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\system32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4f0000 360448 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.3494 (xpsp_sp2_gdr.081216-1254) Windows HTTP Services
mydocs.dll 72410000 106496 C:\WINDOWS\system32\mydocs.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) My Documents Folder UI
NETSHELL.dll 76400000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
browselc.dll 11b0000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
GrooveIntlResource.dll 10000000 921600 C:\Program Files\Microsoft Office\Office12\1033\GrooveIntlResource.dll 12.0.6413.1000 GrooveIntlResource Module
MSFTEDIT.DLL 4b400000 548864 C:\WINDOWS\system32\MSFTEDIT.DLL 5.41.15.1509 Rich Text Edit Control, v4.1
NeroDigitalExt.dll 2a90000 1806336 C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll 2, 0, 0, 8 Nero Digital Shell Extension
MFC71.DLL 7c140000 1060864 C:\Program Files\Common Files\Ahead\Lib\MFC71.DLL 7.10.3077.0 MFCDLL Shared Library - Retail Version
MSVCR71.dll 7c340000 352256 C:\Program Files\Common Files\Ahead\Lib\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
MSVCP71.dll 7c3a0000 503808 C:\Program Files\Common Files\Ahead\Lib\MSVCP71.dll 7.10.3077.0 Microsoft® C++ Runtime Library
PDFShell.dll 2d70000 372736 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 8.1.0.0 PDF Shell Extension
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
msohevi.dll 6bd10000 65536 C:\Program Files\Microsoft Office\Office12\msohevi.dll 12.0.6413.1000 2007 Microsoft Office component
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
odbcint.dll 2dd0000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
sti.dll 73ba0000 77824 C:\WINDOWS\system32\sti.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Still Image Devices client DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\system32\CFGMGR32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Configuration Manager Forwarder DLL
zipfldr.dll 73380000 356352 C:\WINDOWS\system32\zipfldr.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Compressed (zipped) Folders
NBShell.dll 2e10000 81920 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll 2, 7, 3, 1 Nero BackItUp
MFC71U.DLL 3800000 1056768 C:\Program Files\Nero\Nero 7\Nero BackItUp\MFC71U.DLL 7.10.3077.0 MFCDLL Shared Library - Retail Version
rarext.dll 2fd0000 188416 C:\Program Files\WinRAR\rarext.dll
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MARTA provider
MSISIP.DLL 60980000 28672 C:\WINDOWS\system32\MSISIP.DLL 3.1.4000.1823 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\system32\wshext.dll 5.6.0.8820 Microsoft (r) Shell Extension for Windows script Host
MFC42.DLL 73dd0000 1040384 C:\WINDOWS\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version



******************************************
EOF

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Dr Jay on Fri Oct 23, 2009 7:13 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302069
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Sat Oct 24, 2009 4:34 am

Malwarebytes' Anti-Malware 1.41
Database version: 3023
Windows 5.1.2600 Service Pack 2

10/23/2009 9:33:25 PM
mbam-log-2009-10-23 (21-33-25).txt

Scan type: Quick Scan
Objects scanned: 108509
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\50744828\50744828.exe (Rogue.SecurityTool) -> Unloaded process successfully.
C:\WINDOWS\temp\_ex-08.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\Documents and Settings\Daniel\Application Data\seres.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\Daniel\Application Data\svcst.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\temp\wpv801255703227.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\restorer64_a.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\cpcp.cpo (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50744828 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\promoreg (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\restorer64_a (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: agryui31.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe cpcp.cpo bef0regiiav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\50744828 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Agryui31.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\50744828\50744828.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\_ex-08.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\seres.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\svcst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\lizkavd.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\_ex-68.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Local Settings\temp\BN20.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Local Settings\temp\BN6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\7PFCU2I5\Install[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpcp.cpo (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Daniel\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv801255703227.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daniel\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv121255562528.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv331256085323.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv521255562528.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv871255703227.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv911255594149.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\restorer64_a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Sat Oct 24, 2009 4:49 am

i know its nto fȋxed because im still getting random popups

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Dr Jay on Sat Oct 24, 2009 5:30 am

Please do a scan with [You must be registered and logged in to see this link.]

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302069
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Sat Oct 24, 2009 7:09 pm

Saturday, October 24, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 24, 2009 16:53:25
Records in database: 3060113
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Scan statistics
Objects scanned 123121
Threats found 13
Infected objects found 31
Suspicious objects found 0
Scan duration 02:49:19

File name Threat Threats count
lsass.exe\Agryui31.dll/lsass.exe\Agryui31.dll Infected: Trojan-Downloader.Win32.Mufanom.dkp 1
explorer.exe\Agryui31.dll/explorer.exe\Agryui31.dll Infected: Trojan-Downloader.Win32.Mufanom.dkp 1
C:\WINDOWS\Temp\wpv161255703227.exe/C:\WINDOWS\Temp\wpv161255703227.exe Infected: Trojan-Proxy.Win32.Small.aeh 1
C:\WINDOWS\Temp\_ex-08.exe/C:\WINDOWS\Temp\_ex-08.exe Infected: Packed.Win32.Krap.w 1
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan-PSW.Win32.Agent.mzh 1
C:\Documents and Settings\Daniel\Local Settings\temp\7.tmp Infected: Backdoor.Win32.Bredavi.aos 1
C:\Documents and Settings\Daniel\Local Settings\temp\8.tmp Infected: Backdoor.Win32.Bredavi.aos 1
C:\Documents and Settings\Daniel\restorer64_a.exe Infected: Trojan-Downloader.Win32.Mutant.fwi 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\02709422\02709422.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\14812218\14812218.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\22856831\22856831.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\51081116\51081116.exe.vir Infected: Trojan.Win32.FraudPack.xek 1
C:\Qoobox\Quarantine\C\Documents and Settings\Daniel\Application Data\lizkavd.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\Daniel\Application Data\seres.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\Daniel\Application Data\svcst.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\Daniel\restorer64_a.exe.vir Infected: Trojan-Downloader.Win32.Mutant.fvc 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AVEngn.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\htmlayout.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\qtplugin.exe.vir Infected: Backdoor.Win32.Delf.rbv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\restorer64_a.exe.vir Infected: Trojan-Downloader.Win32.Mutant.fvc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Infected: Packed.Win32.Krap.ah 1
C:\WINDOWS\system32\restorer64_a.exe Infected: Trojan-Downloader.Win32.Mutant.fwi 1
C:\WINDOWS\system32\spool\prtprocs\w32x86\217.tmp Infected: Packed.Win32.TDSS.z 1
C:\WINDOWS\temp\wpv041255562528.exe Infected: Packed.Win32.Krap.w 1
C:\WINDOWS\temp\wpv161255703227.exe Infected: Trojan-Proxy.Win32.Small.aeh 1
C:\WINDOWS\temp\wpv911256085323.exe Infected: Trojan-Downloader.Win32.Mutant.fwi 1
C:\WINDOWS\temp\_ex-08.exe Infected: Packed.Win32.Krap.w 1
C:\WINDOWS\temp\{3F0EDDF9-C6BB-ECDD-A580-ED9E30289F34}-_ex-08.exe Infected: Email-Worm.Win32.Iksmas.fnn 1
Selected area has been scanned.

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Dr Jay on Sat Oct 24, 2009 9:12 pm

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
[You must be registered and logged in to see this link.] are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302069
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Sat Oct 24, 2009 9:56 pm

would windows repair work instead of reformat?

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Dr Jay on Sat Oct 24, 2009 11:39 pm

It would not. A repair would work for damaged system files, but does not remove any files. It just repairs the system. A reformat removes everything. So a backup is good to do, for all files. Then do the reformat and reinstall.

That is the easiest to do to make sure you are clean. A reformat and reinstall may take 3-4 hours, whereas we would spend a lot longer here looking for the threat trying to find out where it is.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302069
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Virus again

Post by Danimal on Sat Oct 24, 2009 11:49 pm

how do i backup my files, i dont want to lose anything on my harddrive :/

Danimal
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-03-03
Gender Gender : Male
OS OS : PC Vista
Protection Protection : McAfee
Points Points : 29117
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus again

Post by Dr Jay on Sat Oct 24, 2009 11:52 pm

This should help: Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13713
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302069
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum