Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Virus identified in Win32/Cryptor & Browser Hijack


  • This topic is locked This topic is locked
14 replies to this topic

#1 laven

laven

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 12 August 2009 - 10:28 AM

Dear all, Please help my computer. Recently, my PC is hit with virus and browser hijack. Been causing a lot of screen hang issue for me, windows unable to load, auto shutdown due to services.exe error... I scanned with AVG Free 8.5 and found a over 600 exe and dll files affected with trojans. AVG prompt me to reboot and all my exe applications cannot open up. Right now, I have restore all the files that have been moved to the virus vault and all the applications can function. However, I am still high with the virus and browser hijack. Any gurus care to offer me some help to clean up this mess? Thanks. 1. Virus identified in Win32/Cryptor \\?\globalroot\systemroot\system32\hjgruiobqwtbao.dll 2. Browser hijack hxxp://69.31.80.181/rtc/?u=c8ba5ddd+F6BB94B53F87407B8A28010E172F39F8&g=00000000000000000000000000000000&src_id=82&v=1.04

    Advertisements

Register to Remove


#2 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 12 August 2009 - 10:36 PM

Hello laven,
Welcome to What the Tech.
My name is OCD, I will be helping you with your log today.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

  • You may want to print out these instructions for reference prior to proceeding.
  • This solution is specifically tailored for this particular problem, please do not attempt to use this solution on another computer.
  • If you have any questions, or are uncertain about any steps please ask 'before' proceeding.
- - - - - Next - - - - -

Please download DDS from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
- - - - - Next - - - - -

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


- - - - - Next - - - - -

On your next post please provide the following:
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.
  • Gmer.txt


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#3 laven

laven

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 13 August 2009 - 07:16 AM

Hi OCD,

Appreciate your response and guidance.
Performed the scans and this is what I have.

Note that while running Gmer, there is a folder in C:\Windows\System32\config\software it cannot process giving a prompt alert.
Ending the scan, another prompt says that GMER has found system modification caused bt ROOTKIT activity.

I think GMER is telling the truth!

Looking forward to your next advice and welcome all others who can help my poor PC.
Thanks.

DDS (Ver_09-07-30.01) - NTFSx86
Run by user at 20:56:11.51 on 08/13/2009 Thu
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.511.168 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\dds.pif
C:\WINDOWS\system32\msbne.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uWindows: load=c:\windows\system32\msqggmn.exe
uWindows: run=c:\windows\system32\msyelbne.exe
BHO: {01e62567-7c25-461a-8304-2ff4c6d54189} - c:\windows\system32\wjuzjqtl.dll
BHO: {020727F8-D36A-4703-9953-51FE412E1BA5} - No File
BHO: {03CC4ACE-7C25-461A-8304-2FF4C6D54189} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {1e017671-9619-47a8-ad5f-6901b3b7e56a} - c:\windows\system32\mxinxvl.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch_1.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - No File
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
BHO: {F156768E-81EF-470C-9057-481BA8380DBA} - No File
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mExplorerRun: [exec] c:\windows\system32\msxgdf.exe
uPolicies-explorer: NoTaskGrouping = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-my\msntabres.dll.mui/229?1f08787308a74bc38b87c28129125518
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-my\msntabres.dll.mui/230?1f08787308a74bc38b87c28129125518
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501}
DPF: {5D6F45B3-9043-443D-A792-115447494D24}
DPF: {6932D140-ABC4-4073-A44C-D4A541665E35}
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: rlpttbuh - mxinxvl.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\9uj4qyr9.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npitunes.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\mozill~1\plugins\nppdf32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\mozill~1\plugins\NPSWF32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 owzzwtty;owzzwtty;c:\windows\system32\drivers\owzzwtty.sys [2004-8-7 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-6 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-6 108552]
R2 atddizbb;TCP/IP Protocol Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-6 298776]
R2 Ias;Microsoft Security Services Management;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S1 llo62a0;llo62a0;c:\windows\system32\drivers\llo62a0.sys [2009-7-15 18528]
S3 GarenaPEngine;GarenaPEngine;c:\docume~1\user\locals~1\temp\FDI75.tmp [2009-8-7 18704]
S3 netcard;netcard;c:\windows\system32\netcard.sys [2004-8-4 2304]
S4 Darkness;Darkness;c:\windows\system\svchost.exe --> c:\windows\system\svchost.exe [?]
S4 msupdate;Microsoft security update service;c:\windows\system32\vhosts.exe --> c:\windows\system32\vhosts.exe [?]

=============== Created Last 30 ================

2009-08-13 00:14 245,760 a------- c:\windows\system32\msxre.exe
2009-08-13 00:13 245,760 a------- c:\windows\system32\mskibz.exe
2009-08-13 00:12 245,760 a------- c:\windows\system32\msfgm.exe
2009-08-13 00:12 245,760 a------- c:\windows\system32\msdxxxz.exe
2009-08-12 00:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RegCure
2009-08-09 20:30 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-09 20:30 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-07 19:46 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-08-07 19:45 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-08-07 19:38 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-08-07 19:25 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-07 19:24 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 19:24 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 19:24 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 19:24 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 19:24 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-07 19:24 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-07 19:24 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-07 19:23 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-07 19:18 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-07 19:18 11,067,392 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-08-07 19:18 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-08-07 19:18 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-08-07 19:18 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-07 19:18 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-07 19:18 <DIR> --d----- c:\windows\ie8updates
2009-08-07 19:18 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-07 19:16 <DIR> -cd-h--- c:\windows\ie8
2009-08-07 18:03 <DIR> --d----- c:\program files\Warcraft Version Switcher
2009-08-06 00:41 <DIR> --d----- c:\program files\Trend Micro
2009-08-06 00:04 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-06 00:04 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 00:04 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 00:03 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-06 00:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-05 23:57 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-05 23:00 62,496 a------- c:\windows\system32\MSWINSCK.OCX
2009-08-02 23:25 <DIR> --d----- c:\program files\Eidos
2009-07-15 17:18 <DIR> --d----- c:\program files\AVG
2009-07-15 15:19 18,528 a------- c:\windows\system32\drivers\llo62a0.sys
2009-07-15 12:38 <DIR> --d----- c:\docume~1\user\applic~1\cqwqquqo

==================== Find3M ====================

2009-08-13 20:40 4 ----h--- c:\windows\fonts\mlog
2009-08-13 00:14 245,760 a------- c:\windows\system32\msxqjj.exe
2009-08-13 00:13 245,760 a------- c:\windows\system32\mskhubot.exe
2009-08-07 16:59 2,684 a------- c:\windows\War3Unin.dat
2009-07-07 23:35 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-04 01:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-27 00:50 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-16 22:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 22:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-04 03:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 20:58:40.48 ===============

Attached Files



#4 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 14 August 2009 - 04:09 AM

laven,

You have requested help from here. Before we continue please notify the other forum that you are getting help at WTT and have them close that thread.

Your computer is quite infected. It is very important that you do not run any tools or attempt any fixes other than the ones I request.
Doing so can either delay our progress or render your computer inoperable. Malware removal can take numerous steps and tools to removal all threats.
Absence of symptoms does not necessarily mean you are clean. Please stay with the thread until I give you the all clean.
I appreciate your patience and understanding.

- - - - - Next - - - - -

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools > >Options > >Main tab
  • Set to "Always ask me where to Save the files".
Link 1
Link 2

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.

-----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" for further review.
    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

    -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

NOTE: ComboFix shall request to install the Recovery Console, please ALLOW it to do so.

- - - - - Next - - - - -

Reboot, on your next post please provide the following:
  • Combo-Fix.txt log
  • Tell me how your computer is running at the moment.


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#5 laven

laven

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 14 August 2009 - 08:31 AM

Hi OCD,

Thank you for the advice.
Attached combo-fix log for your reference.

During the scanning by Combo-fix, it prompts that these rootkits are abnormal.
C:\WINDOWS\system32\drivers\hjgruietepxturr.sys
C:\WINDOWS\system32\hjgruiirpixdal.dll
C:\WINDOWS\system32\hjgruipbjxako.dat
C:\WINDOWS\system32\hjgruipqwtbao.dll
C:\WINDOWS\system32\hjgruilyardktv.dat

During the reboot, there was a prompt with some 000000000 error. When I pressed OK to terminate, NT AUTORITY\system forced a shutdown in 1min, as it says that I have some errors with C:\WINDOWS\system32\services.exe, fault 1073741819.

Hope this info will help.
Awaiting your next actions.
Thanks.


ComboFix 09-08-10.06 - user 4/2009 Fri 21:47.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.511.165 [GMT 8:00]
Ö´ÐÐλÖÃ: c:\documents and settings\user\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( ±»É¾³ýµÄµµ°¸ )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Windows Live Messenger .lnk
c:\documents and settings\yying\Application Data\dxdlls
c:\documents and settings\yying\Application Data\dxdlls\ActMon.ini
c:\windows\FONTS\cooecp.tlb
c:\windows\FONTS\logcde.dll
c:\windows\Fonts\mlog
c:\windows\Fonts\services.exe
c:\windows\FONTS\windef.dll
c:\windows\FONTS\windef.Log
c:\windows\FONTS\winpaged.ocx
c:\windows\Installer\10aed4.msp
c:\windows\Installer\12bcef.msi
c:\windows\Installer\1f9ab2.msp
c:\windows\Installer\1f9ab7.msp
c:\windows\Installer\1f9abc.msp
c:\windows\Installer\1f9af9.msp
c:\windows\Installer\1f9afe.msp
c:\windows\Installer\1f9b03.msp
c:\windows\Installer\23f85f.msp
c:\windows\Installer\23f864.msp
c:\windows\Installer\23f869.msp
c:\windows\Installer\23f86e.msp
c:\windows\Installer\23f873.msp
c:\windows\Installer\23f88c.msp
c:\windows\Installer\23f891.msp
c:\windows\Installer\23f896.msp
c:\windows\Installer\23f89b.msp
c:\windows\Installer\23f8aa.msp
c:\windows\Installer\23f8af.msp
c:\windows\Installer\23f8b4.msp
c:\windows\Installer\23f8b9.msp
c:\windows\Installer\23f8d0.msp
c:\windows\Installer\23f8d5.msp
c:\windows\Installer\29db010.msp
c:\windows\Installer\29db015.msp
c:\windows\Installer\29db01a.msp
c:\windows\Installer\29db01f.msp
c:\windows\Installer\3e5006.msp
c:\windows\Installer\3e500b.msp
c:\windows\Installer\3e5010.msp
c:\windows\Installer\3e5015.msp
c:\windows\Installer\3e501a.msp
c:\windows\Installer\3e501f.msp
c:\windows\Installer\3e5024.msp
c:\windows\Installer\3e5029.msp
c:\windows\Installer\43044.msp
c:\windows\Installer\4381e.msp
c:\windows\Installer\43823.msp
c:\windows\Installer\43828.msp
c:\windows\Installer\45a0f7.msp
c:\windows\Installer\489a71.msp
c:\windows\Installer\49cf8.msp
c:\windows\Installer\49cfd.msp
c:\windows\Installer\49d02.msp
c:\windows\Installer\49d07.msp
c:\windows\Installer\49d0c.msp
c:\windows\Installer\49d11.msp
c:\windows\Installer\49d16.msp
c:\windows\Installer\49d1b.msp
c:\windows\Installer\49d20.msp
c:\windows\Installer\5ae97.msp
c:\windows\Installer\5ae9c.msp
c:\windows\Installer\5aea1.msp
c:\windows\Installer\5aea6.msp
c:\windows\Installer\6a4f5.msp
c:\windows\Installer\6b393.msp
c:\windows\Installer\6b398.msp
c:\windows\Installer\6b39d.msp
c:\windows\Installer\6b39e.msp
c:\windows\Installer\7b5e0.msp
c:\windows\Installer\89c7b.msp
c:\windows\Installer\8a85a2.msi
c:\windows\Installer\9351d.msp
c:\windows\Installer\93e84.msp
c:\windows\Installer\93e89.msp
c:\windows\Installer\93e8e.msp
c:\windows\Installer\93e93.msp
c:\windows\Installer\93e98.msp
c:\windows\Installer\93e9d.msp
c:\windows\Installer\93ea2.msp
c:\windows\Installer\93ea7.msp
c:\windows\Installer\93eac.msp
c:\windows\Installer\a2b07.msp
c:\windows\Installer\fc191.msp
c:\windows\Installer\fc196.msp
c:\windows\Installer\fc19b.msp
c:\windows\Installer\fc1a0.msp
c:\windows\Installer\fc1a5.msp
c:\windows\Installer\fc1aa.msp
c:\windows\sosuo.col
c:\windows\system32\6to4v32.dll
c:\windows\system32\drivers\elwbxtgg.sys
c:\windows\system32\drivers\hjgruietepturr.sys
c:\windows\system32\drivers\owzzwtty.sys
c:\windows\system32\hjgruiirpixdal.dll
c:\windows\system32\hjgruilyardktv.dat
c:\windows\system32\hjgruiobqwtbao.dll
c:\windows\system32\hjgruipbpjxako.dat
c:\windows\system32\Iasex.dll
c:\windows\system32\msaeis.exe
c:\windows\system32\msced.exe
c:\windows\system32\mscfnt.exe
c:\windows\system32\mscgftt.exe
c:\windows\system32\msciyqq.exe
c:\windows\system32\mscke.exe
c:\windows\system32\msclv.exe
c:\windows\system32\msclynms.exe
c:\windows\system32\mscmaws.exe
c:\windows\system32\mscmu.exe
c:\windows\system32\mscnw.exe
c:\windows\system32\mscoal.exe
c:\windows\system32\mscoq.exe
c:\windows\system32\mscpkss.exe
c:\windows\system32\mscpn.exe
c:\windows\system32\mscqjx.exe
c:\windows\system32\mscrug.exe
c:\windows\system32\msctcy.exe
c:\windows\system32\mscuidy.exe
c:\windows\system32\mscxj.exe
c:\windows\system32\mscxur.exe
c:\windows\system32\msczhjx.exe
c:\windows\system32\mscztt.exe
c:\windows\system32\msdbc.exe
c:\windows\system32\msdbrzb.exe
c:\windows\system32\msdbshz.exe
c:\windows\system32\msdctsxc.exe
c:\windows\system32\msddn.exe
c:\windows\system32\msdggzmb.exe
c:\windows\system32\msdgmfh.exe
c:\windows\system32\msdgt.exe
c:\windows\system32\msdgvbmd.exe
c:\windows\system32\msdhiv.exe
c:\windows\system32\msdhx.exe
c:\windows\system32\msdie.exe
c:\windows\system32\msdiyh.exe
c:\windows\system32\msdjf.exe
c:\windows\system32\msdjsio.exe
c:\windows\system32\msdlsdeg.exe
c:\windows\system32\msdltsgn.exe
c:\windows\system32\msdlw.exe
c:\windows\system32\msdmmmvk.exe
c:\windows\system32\msdnkfcm.exe
c:\windows\system32\msdoc.exe
c:\windows\system32\msdowd.exe
c:\windows\system32\msdpgw.exe
c:\windows\system32\msdpjh.exe
c:\windows\system32\msdpntu.exe
c:\windows\system32\msdpo.exe
c:\windows\system32\msdpqnc.exe
c:\windows\system32\msdsavc.exe
c:\windows\system32\msdsleu.exe
c:\windows\system32\msdufm.exe
c:\windows\system32\msduqcn.exe
c:\windows\system32\msdxx.exe
c:\windows\system32\msdxxxz.exe
c:\windows\system32\msdya.exe
c:\windows\system32\msdyumjr.exe
c:\windows\system32\msdywnd.exe
c:\windows\system32\msdyykn.exe
c:\windows\system32\msdzeu.exe
c:\windows\system32\mseagsv.exe
c:\windows\system32\mseaxrx.exe
c:\windows\system32\mseca.exe
c:\windows\system32\msechqr.exe
c:\windows\system32\msecuzj.exe
c:\windows\system32\msegbhsh.exe
c:\windows\system32\msegq.exe
c:\windows\system32\msegvux.exe
c:\windows\system32\msekk.exe
c:\windows\system32\msekkypy.exe
c:\windows\system32\mseomh.exe
c:\windows\system32\msepdf.exe
c:\windows\system32\msepisn.exe
c:\windows\system32\mseprna.exe
c:\windows\system32\mseps.exe
c:\windows\system32\msepvzqw.exe
c:\windows\system32\mseqequa.exe
c:\windows\system32\mserkrul.exe
c:\windows\system32\msersele.exe
c:\windows\system32\msest.exe
c:\windows\system32\msesv.exe
c:\windows\system32\msetaqhu.exe
c:\windows\system32\msetta.exe
c:\windows\system32\mseua.exe
c:\windows\system32\msevb.exe
c:\windows\system32\msevrz.exe
c:\windows\system32\msevyum.exe
c:\windows\system32\msexunch.exe
c:\windows\system32\msezdkfw.exe
c:\windows\system32\msezi.exe
c:\windows\system32\msezpwge.exe
c:\windows\system32\msfasuxv.exe
c:\windows\system32\msfawmf.exe
c:\windows\system32\msfay.exe
c:\windows\system32\msfbfhfw.exe
c:\windows\system32\msfbnrk.exe
c:\windows\system32\msfcbg.exe
c:\windows\system32\msfdiap.exe
c:\windows\system32\msfel.exe
c:\windows\system32\msfeue.exe
c:\windows\system32\msfexkr.exe
c:\windows\system32\msffxu.exe
c:\windows\system32\msfgbt.exe
c:\windows\system32\msfglbcz.exe
c:\windows\system32\msfgm.exe
c:\windows\system32\msfjp.exe
c:\windows\system32\msfjpg.exe
c:\windows\system32\msfko.exe
c:\windows\system32\msfmhp.exe
c:\windows\system32\msfpw.exe
c:\windows\system32\msfrw.exe
c:\windows\system32\msfsfb.exe
c:\windows\system32\msfso.exe
c:\windows\system32\msftdt.exe
c:\windows\system32\msftgc.exe
c:\windows\system32\msfti.exe
c:\windows\system32\msfuuhd.exe
c:\windows\system32\msfuvqtk.exe
c:\windows\system32\msfvrvft.exe
c:\windows\system32\msfwi.exe
c:\windows\system32\msfxfu.exe
c:\windows\system32\msfxiulc.exe
c:\windows\system32\msfxj.exe
c:\windows\system32\msfybom.exe
c:\windows\system32\msfyyc.exe
c:\windows\system32\msfzyibu.exe
c:\windows\system32\msgckk.exe
c:\windows\system32\msgcm.exe
c:\windows\system32\msgctzp.exe
c:\windows\system32\msgcuv.exe
c:\windows\system32\msgdhtdp.exe
c:\windows\system32\msgej.exe
c:\windows\system32\msgeqdpf.exe
c:\windows\system32\msgeyjg.exe
c:\windows\system32\msgfo.exe
c:\windows\system32\msgfsh.exe
c:\windows\system32\msgfy.exe
c:\windows\system32\msggw.exe
c:\windows\system32\msghcj.exe
c:\windows\system32\msgiy.exe
c:\windows\system32\msgjdqa.exe
c:\windows\system32\msgkfpw.exe
c:\windows\system32\msgmj.exe
c:\windows\system32\msgmsx.exe
c:\windows\system32\msgmvwzp.exe
c:\windows\system32\msgns.exe
c:\windows\system32\msgom.exe
c:\windows\system32\msgpbicr.exe
c:\windows\system32\msgqhtgc.exe
c:\windows\system32\msgqxci.exe
c:\windows\system32\msgrfts.exe
c:\windows\system32\msgsdbt.exe
c:\windows\system32\msgsgbp.exe
c:\windows\system32\msgups.exe
c:\windows\system32\msgupsvg.exe
c:\windows\system32\msgvro.exe
c:\windows\system32\msgvv.exe
c:\windows\system32\msgwcyw.exe
c:\windows\system32\msgwgdh.exe
c:\windows\system32\msgwhb.exe
c:\windows\system32\msgwq.exe
c:\windows\system32\msgxzo.exe
c:\windows\system32\msgyvqc.exe
c:\windows\system32\msgznq.exe
c:\windows\system32\msgzor.exe
c:\windows\system32\msgzv.exe
c:\windows\system32\mshcjf.exe
c:\windows\system32\mshdpdi.exe
c:\windows\system32\mshethdq.exe
c:\windows\system32\mshevnmt.exe
c:\windows\system32\msheycfj.exe
c:\windows\system32\mshfce.exe
c:\windows\system32\mshfhb.exe
c:\windows\system32\mshftcdk.exe
c:\windows\system32\mshgf.exe
c:\windows\system32\mshgk.exe
c:\windows\system32\mshhhh.exe
c:\windows\system32\mshhww.exe
c:\windows\system32\mshjdwvi.exe
c:\windows\system32\mshjm.exe
c:\windows\system32\mshjwb.exe
c:\windows\system32\mshkfrah.exe
c:\windows\system32\mshkr.exe
c:\windows\system32\mshlzv.exe
c:\windows\system32\mshnu.exe
c:\windows\system32\mshodrx.exe
c:\windows\system32\mshqhu.exe
c:\windows\system32\mshqlu.exe
c:\windows\system32\mshqvs.exe
c:\windows\system32\mshsokm.exe
c:\windows\system32\mshsuv.exe
c:\windows\system32\mshsvw.exe
c:\windows\system32\mshtfked.exe
c:\windows\system32\mshvthz.exe
c:\windows\system32\mshwytz.exe
c:\windows\system32\mshxptj.exe
c:\windows\system32\mshybzm.exe
c:\windows\system32\mshzmner.exe
c:\windows\system32\mshzpoms.exe
c:\windows\system32\msialhl.exe
c:\windows\system32\msiaw.exe
c:\windows\system32\msibgoe.exe
c:\windows\system32\msiclzs.exe
c:\windows\system32\msidy.exe
c:\windows\system32\msiefc.exe
c:\windows\system32\msifew.exe
c:\windows\system32\msifyae.exe
c:\windows\system32\msihbf.exe
c:\windows\system32\msihr.exe
c:\windows\system32\msihxzbe.exe
c:\windows\system32\msiippu.exe
c:\windows\system32\msiisu.exe
c:\windows\system32\msiiwptp.exe
c:\windows\system32\msikkp.exe
c:\windows\system32\msilfh.exe
c:\windows\system32\msimkoqe.exe
c:\windows\system32\msimqx.exe
c:\windows\system32\msimt.exe
c:\windows\system32\msimyt.exe
c:\windows\system32\msiniyig.exe
c:\windows\system32\msinnkbn.exe
c:\windows\system32\msinpbgs.exe
c:\windows\system32\msiogm.exe
c:\windows\system32\msipnom.exe
c:\windows\system32\msipsd.exe
c:\windows\system32\msiqy.exe
c:\windows\system32\msirq.exe
c:\windows\system32\msisyc.exe
c:\windows\system32\msivf.exe
c:\windows\system32\msivuzcx.exe
c:\windows\system32\msiwpftf.exe
c:\windows\system32\msixbuc.exe
c:\windows\system32\msixdg.exe
c:\windows\system32\msiyi.exe
c:\windows\system32\msiyjc.exe
c:\windows\system32\msizvpft.exe
c:\windows\system32\msjagn.exe
c:\windows\system32\msjazg.exe
c:\windows\system32\msjcl.exe
c:\windows\system32\msjcnel.exe
c:\windows\system32\msjdn.exe
c:\windows\system32\msjefs.exe
c:\windows\system32\msjeh.exe
c:\windows\system32\msjeiuqn.exe
c:\windows\system32\msjgcaag.exe
c:\windows\system32\msjhv.exe
c:\windows\system32\msjia.exe
c:\windows\system32\msjkux.exe
c:\windows\system32\msjkvs.exe
c:\windows\system32\msjllneu.exe
c:\windows\system32\msjmjwqt.exe
c:\windows\system32\msjna.exe
c:\windows\system32\msjobdfn.exe
c:\windows\system32\msjojihc.exe
c:\windows\system32\msjopgvh.exe
c:\windows\system32\msjpth.exe
c:\windows\system32\msjpxovo.exe
c:\windows\system32\msjqw.exe
c:\windows\system32\msjrb.exe
c:\windows\system32\msjrcmjx.exe
c:\windows\system32\msjrihp.exe
c:\windows\system32\msjrl.exe
c:\windows\system32\msjsiyof.exe
c:\windows\system32\msjtqq.exe
c:\windows\system32\msjwcyve.exe
c:\windows\system32\msjwhyz.exe
c:\windows\system32\msjxju.exe
c:\windows\system32\msjzjbd.exe
c:\windows\system32\mskag.exe
c:\windows\system32\mskagsnb.exe
c:\windows\system32\mskasslj.exe
c:\windows\system32\mskcdwkx.exe
c:\windows\system32\mskck.exe
c:\windows\system32\mskcuhjw.exe
c:\windows\system32\mskdgzw.exe
c:\windows\system32\mskecco.exe
c:\windows\system32\mskexifk.exe
c:\windows\system32\mskey.exe
c:\windows\system32\mskfu.exe
c:\windows\system32\mskgnqd.exe
c:\windows\system32\mskhfjd.exe
c:\windows\system32\mskhubot.exe
c:\windows\system32\mskibz.exe
c:\windows\system32\mskkp.exe
c:\windows\system32\mskkr.exe
c:\windows\system32\msklbswy.exe
c:\windows\system32\msklcrhl.exe
c:\windows\system32\msklknxq.exe
c:\windows\system32\mskmhxf.exe
c:\windows\system32\msknklba.exe
c:\windows\system32\mskok.exe
c:\windows\system32\mskpk.exe
c:\windows\system32\mskqshj.exe
c:\windows\system32\mskrmsq.exe
c:\windows\system32\mskrn.exe
c:\windows\system32\mskrqapt.exe
c:\windows\system32\mskrwn.exe
c:\windows\system32\msktnj.exe
c:\windows\system32\msktyj.exe
c:\windows\system32\mskucpqa.exe
c:\windows\system32\mskugpk.exe
c:\windows\system32\mskunm.exe
c:\windows\system32\mskunzic.exe
c:\windows\system32\mskvcgzg.exe
c:\windows\system32\mskvmon.exe
c:\windows\system32\mskvxhfo.exe
c:\windows\system32\mskwajqs.exe
c:\windows\system32\mskwemqx.exe
c:\windows\system32\mskwqsgm.exe
c:\windows\system32\mskydy.exe
c:\windows\system32\mskyeby.exe
c:\windows\system32\mskyja.exe
c:\windows\system32\mskykqg.exe
c:\windows\system32\mskzfz.exe
c:\windows\system32\mskzhvmq.exe
c:\windows\system32\mslarx.exe
c:\windows\system32\mslcbtnj.exe
c:\windows\system32\mslcetn.exe
c:\windows\system32\msldan.exe
c:\windows\system32\msldo.exe
c:\windows\system32\msldoi.exe
c:\windows\system32\msldpl.exe
c:\windows\system32\mslemmm.exe
c:\windows\system32\mslennf.exe
c:\windows\system32\mslep.exe
c:\windows\system32\mslepjx.exe
c:\windows\system32\msles.exe
c:\windows\system32\mslfjboh.exe
c:\windows\system32\mslfkw.exe
c:\windows\system32\mslhhxbt.exe
c:\windows\system32\mslhkqzo.exe
c:\windows\system32\mslht.exe
c:\windows\system32\msljcmcu.exe
c:\windows\system32\msljgnxg.exe
c:\windows\system32\mslkgktl.exe
c:\windows\system32\msloig.exe
c:\windows\system32\mslpevq.exe
c:\windows\system32\mslpxh.exe
c:\windows\system32\mslpzdql.exe
c:\windows\system32\mslqmlab.exe
c:\windows\system32\mslqr.exe
c:\windows\system32\mslqsgl.exe
c:\windows\system32\mslqsr.exe
c:\windows\system32\mslrkfa.exe
c:\windows\system32\mslrqhs.exe
c:\windows\system32\mslsmm.exe
c:\windows\system32\mslsmzuu.exe
c:\windows\system32\mslswrx.exe
c:\windows\system32\mslthj.exe
c:\windows\system32\msltic.exe
c:\windows\system32\msluumcn.exe
c:\windows\system32\msluwwen.exe
c:\windows\system32\mslvddz.exe
c:\windows\system32\mslvfcj.exe
c:\windows\system32\mslvs.exe
c:\windows\system32\mslwj.exe
c:\windows\system32\mslwl.exe
c:\windows\system32\mslwpi.exe
c:\windows\system32\mslxip.exe
c:\windows\system32\mslzdae.exe
c:\windows\system32\mslzu.exe
c:\windows\system32\mslzwh.exe
c:\windows\system32\msmchijb.exe
c:\windows\system32\msmcwvhf.exe
c:\windows\system32\msmfld.exe
c:\windows\system32\msmfw.exe
c:\windows\system32\msmgh.exe
c:\windows\system32\msmhfnl.exe
c:\windows\system32\msmisou.exe
c:\windows\system32\msmjd.exe
c:\windows\system32\msmjtq.exe
c:\windows\system32\msmjwdgu.exe
c:\windows\system32\msmjwp.exe
c:\windows\system32\msmmmc.exe
c:\windows\system32\msmokp.exe
c:\windows\system32\msmot.exe
c:\windows\system32\msmov.exe
c:\windows\system32\msmoxjx.exe
c:\windows\system32\msmprcbx.exe
c:\windows\system32\msmqmo.exe
c:\windows\system32\msmrlusa.exe
c:\windows\system32\msmsq.exe
c:\windows\system32\msmszbx.exe
c:\windows\system32\msmtp.exe
c:\windows\system32\msmtveee.exe
c:\windows\system32\msmugnox.exe
c:\windows\system32\msmulvd.exe
c:\windows\system32\msmvo.exe
c:\windows\system32\msmwel.exe
c:\windows\system32\msmwg.exe
c:\windows\system32\msmwwdp.exe
c:\windows\system32\msmwypzz.exe
c:\windows\system32\msmxvx.exe
c:\windows\system32\msmyn.exe
c:\windows\system32\msmzeh.exe
c:\windows\system32\msnagltq.exe
c:\windows\system32\msnawts.exe
c:\windows\system32\msncdilz.exe
c:\windows\system32\msncifu.exe
c:\windows\system32\msnde.exe
c:\windows\system32\msndet.exe
c:\windows\system32\msnewkkm.exe
c:\windows\system32\msnfuqz.exe
c:\windows\system32\msnigy.exe
c:\windows\system32\msnin.exe
c:\windows\system32\msnintp.exe
c:\windows\system32\msniy.exe
c:\windows\system32\msnjq.exe
c:\windows\system32\msnkxg.exe
c:\windows\system32\msnmjww.exe
c:\windows\system32\msnmtki.exe
c:\windows\system32\msnnhkr.exe
c:\windows\system32\msnnk.exe
c:\windows\system32\msnpd.exe
c:\windows\system32\msnph.exe
c:\windows\system32\msnpttgo.exe
c:\windows\system32\msnqkzgl.exe
c:\windows\system32\msnqnsn.exe
c:\windows\system32\msnqxz.exe
c:\windows\system32\msnrabft.exe
c:\windows\system32\msnrnuj.exe
c:\windows\system32\msnsnuzo.exe
c:\windows\system32\msnsskf.exe
c:\windows\system32\msntv.exe
c:\windows\system32\msnvtz.exe
c:\windows\system32\msnwngv.exe
c:\windows\system32\msnwsi.exe
c:\windows\system32\msnyeu.exe
c:\windows\system32\msnyeyey.exe
c:\windows\system32\msnyty.exe
c:\windows\system32\msnzovh.exe
c:\windows\system32\msoai.exe
c:\windows\system32\msoak.exe
c:\windows\system32\msoax.exe
c:\windows\system32\msobeo.exe
c:\windows\system32\msobus.exe
c:\windows\system32\msoci.exe
c:\windows\system32\msocji.exe
c:\windows\system32\msodqis.exe
c:\windows\system32\msoet.exe
c:\windows\system32\msoget.exe
c:\windows\system32\msohboo.exe
c:\windows\system32\msohwqsm.exe
c:\windows\system32\msoilpt.exe
c:\windows\system32\msoiquey.exe
c:\windows\system32\msoisg.exe
c:\windows\system32\msojcu.exe
c:\windows\system32\msojjafp.exe
c:\windows\system32\msokb.exe
c:\windows\system32\msokvce.exe
c:\windows\system32\msokyx.exe
c:\windows\system32\msomszjb.exe
c:\windows\system32\msoneimk.exe
c:\windows\system32\msooqtc.exe
c:\windows\system32\msooww.exe
c:\windows\system32\msopaa.exe
c:\windows\system32\msoqvqvt.exe
c:\windows\system32\msorkf.exe
c:\windows\system32\msouh.exe
c:\windows\system32\msoui.exe
c:\windows\system32\msovh.exe
c:\windows\system32\msovqni.exe
c:\windows\system32\msoxhj.exe
c:\windows\system32\msoyd.exe
c:\windows\system32\msoye.exe
c:\windows\system32\msoyfw.exe
c:\windows\system32\msoyy.exe
c:\windows\system32\msozrs.exe
c:\windows\system32\msoztl.exe
c:\windows\system32\msozy.exe
c:\windows\system32\mspambvy.exe
c:\windows\system32\mspavwk.exe
c:\windows\system32\mspbqwe.exe
c:\windows\system32\mspcanc.exe
c:\windows\system32\mspdw.exe
c:\windows\system32\mspexhs.exe
c:\windows\system32\mspfredc.exe
c:\windows\system32\mspgpli.exe
c:\windows\system32\mspgpu.exe
c:\windows\system32\mspgx.exe
c:\windows\system32\msphqj.exe
c:\windows\system32\mspiem.exe
c:\windows\system32\mspik.exe
c:\windows\system32\mspix.exe
c:\windows\system32\mspkzfu.exe
c:\windows\system32\msplpcag.exe
c:\windows\system32\mspob.exe
c:\windows\system32\mspon.exe
c:\windows\system32\msppnyd.exe
c:\windows\system32\mspqk.exe
c:\windows\system32\mspsqurd.exe
c:\windows\system32\msptmiq.exe
c:\windows\system32\mspwdrwq.exe
c:\windows\system32\mspwf.exe
c:\windows\system32\mspwvor.exe
c:\windows\system32\mspwzb.exe
c:\windows\system32\mspymiz.exe
c:\windows\system32\mspyqml.exe
c:\windows\system32\mspzje.exe
c:\windows\system32\mspzw.exe
c:\windows\system32\msqakd.exe
c:\windows\system32\msqazrr.exe
c:\windows\system32\msqbzxni.exe
c:\windows\system32\msqcmaw.exe
c:\windows\system32\msqcymq.exe
c:\windows\system32\msqda.exe
c:\windows\system32\msqdd.exe
c:\windows\system32\msqdlq.exe
c:\windows\system32\msqgdf.exe
c:\windows\system32\msqggmn.exe
c:\windows\system32\msqhcbdf.exe
c:\windows\system32\msqiqojr.exe
c:\windows\system32\msqittw.exe
c:\windows\system32\msqiw.exe
c:\windows\system32\msqiz.exe
c:\windows\system32\msqjg.exe
c:\windows\system32\msqmclt.exe
c:\windows\system32\msqmic.exe
c:\windows\system32\msqmo.exe
c:\windows\system32\msqoph.exe
c:\windows\system32\msqoudho.exe
c:\windows\system32\msqqd.exe
c:\windows\system32\msqqgltn.exe
c:\windows\system32\msqrkfo.exe
c:\windows\system32\msqslmd.exe
c:\windows\system32\msqtjcdq.exe
c:\windows\system32\msqucth.exe
c:\windows\system32\msquqysx.exe
c:\windows\system32\msqvqxyg.exe
c:\windows\system32\msqwqjs.exe
c:\windows\system32\msqwuwx.exe
c:\windows\system32\msqxfutv.exe
c:\windows\system32\msqxl.exe
c:\windows\system32\msqza.exe
c:\windows\system32\msrbfhfa.exe
c:\windows\system32\msrcvmdk.exe
c:\windows\system32\msrdsucw.exe
c:\windows\system32\msrehf.exe
c:\windows\system32\msrerts.exe
c:\windows\system32\msrfbxms.exe
c:\windows\system32\msrfjyw.exe
c:\windows\system32\msrhu.exe
c:\windows\system32\msrkb.exe
c:\windows\system32\msrkdw.exe
c:\windows\system32\msrlpf.exe
c:\windows\system32\msrniq.exe
c:\windows\system32\msrozzee.exe
c:\windows\system32\msrqxdh.exe
c:\windows\system32\msrrgw.exe
c:\windows\system32\msrsk.exe
c:\windows\system32\msruv.exe
c:\windows\system32\msruva.exe
c:\windows\system32\msrvh.exe
c:\windows\system32\msrvk.exe
c:\windows\system32\msrvkmv.exe
c:\windows\system32\msrwznge.exe
c:\windows\system32\msrxeb.exe
c:\windows\system32\msrxg.exe
c:\windows\system32\msryu.exe
c:\windows\system32\msryzx.exe
c:\windows\system32\mssavz.exe
c:\windows\system32\mssbv.exe
c:\windows\system32\mssby.exe
c:\windows\system32\msscyn.exe
c:\windows\system32\mssfxayj.exe
c:\windows\system32\mssheveb.exe
c:\windows\system32\msshj.exe
c:\windows\system32\msshx.exe
c:\windows\system32\mssicoa.exe
c:\windows\system32\mssiohul.exe
c:\windows\system32\mssjgs.exe
c:\windows\system32\msskv.exe
c:\windows\system32\msslyqm.exe
c:\windows\system32\mssmb.exe
c:\windows\system32\mssmfwri.exe
c:\windows\system32\mssnfiio.exe
c:\windows\system32\mssoatr.exe
c:\windows\system32\mssqjg.exe
c:\windows\system32\mssqjsn.exe
c:\windows\system32\mssquc.exe
c:\windows\system32\mssri.exe
c:\windows\system32\mssrnjn.exe
c:\windows\system32\mssro.exe
c:\windows\system32\msssd.exe
c:\windows\system32\mssta.exe
c:\windows\system32\mssuey.exe
c:\windows\system32\mssvmol.exe
c:\windows\system32\msswd.exe
c:\windows\system32\mssxi.exe
c:\windows\system32\mssxnx.exe
c:\windows\system32\mssxx.exe
c:\windows\system32\mssyat.exe
c:\windows\system32\mssyb.exe
c:\windows\system32\mssyjy.exe
c:\windows\system32\msszga.exe
c:\windows\system32\mstaq.exe
c:\windows\system32\mstathhi.exe
c:\windows\system32\mstcrirn.exe
c:\windows\system32\mstdmgc.exe
c:\windows\system32\mstdsu.exe
c:\windows\system32\mstex.exe
c:\windows\system32\mstflauw.exe
c:\windows\system32\mstfngw.exe
c:\windows\system32\mstfomg.exe
c:\windows\system32\mstgz.exe
c:\windows\system32\mstjfkpz.exe
c:\windows\system32\mstkkakx.exe
c:\windows\system32\mstlk.exe
c:\windows\system32\mstlmqz.exe
c:\windows\system32\mstmy.exe
c:\windows\system32\mstmzw.exe
c:\windows\system32\mstnrrfa.exe
c:\windows\system32\mstnsz.exe
c:\windows\system32\mstomfoa.exe
c:\windows\system32\mstqflpr.exe
c:\windows\system32\mstriwat.exe
c:\windows\system32\msttk.exe
c:\windows\system32\msttx.exe
c:\windows\system32\mstuhsxi.exe
c:\windows\system32\mstujv.exe
c:\windows\system32\mstva.exe
c:\windows\system32\mstxh.exe
c:\windows\system32\mstxil.exe
c:\windows\system32\mstyeq.exe
c:\windows\system32\mstyh.exe
c:\windows\system32\mstzwx.exe
c:\windows\system32\msuapqyw.exe
c:\windows\system32\msubj.exe
c:\windows\system32\msubljj.exe
c:\windows\system32\msucia.exe
c:\windows\system32\msuctdkb.exe
c:\windows\system32\msucvehi.exe
c:\windows\system32\msucvxkl.exe
c:\windows\system32\msudozw.exe
c:\windows\system32\msudsnn.exe
c:\windows\system32\msueesze.exe
c:\windows\system32\msuefiin.exe
c:\windows\system32\msueom.exe
c:\windows\system32\msuett.exe
c:\windows\system32\msufakf.exe
c:\windows\system32\msufsp.exe
c:\windows\system32\msugrr.exe
c:\windows\system32\msugt.exe
c:\windows\system32\msuhch.exe
c:\windows\system32\msuhsn.exe
c:\windows\system32\msuicui.exe
c:\windows\system32\msuisw.exe
c:\windows\system32\msujq.exe
c:\windows\system32\msuke.exe
c:\windows\system32\msulhp.exe
c:\windows\system32\msumros.exe
c:\windows\system32\msunnif.exe
c:\windows\system32\msuod.exe
c:\windows\system32\msuojncg.exe
c:\windows\system32\msuokb.exe
c:\windows\system32\msuonzca.exe
c:\windows\system32\msuoz.exe
c:\windows\system32\msupkic.exe
c:\windows\system32\msupqsci.exe
c:\windows\system32\msuquvbo.exe
c:\windows\system32\msurtur.exe
c:\windows\system32\msusfkw.exe
c:\windows\system32\msushb.exe
c:\windows\system32\msutmg.exe
c:\windows\system32\msuuub.exe
c:\windows\system32\msuuwu.exe
c:\windows\system32\msuvsryz.exe
c:\windows\system32\msuvuiki.exe
c:\windows\system32\msuwhw.exe
c:\windows\system32\msuyzzo.exe
c:\windows\system32\msuzqnj.exe
c:\windows\system32\msvbfqn.exe
c:\windows\system32\msvbpb.exe
c:\windows\system32\msvcwgs.exe
c:\windows\system32\msvfzku.exe
c:\windows\system32\msvgjgmf.exe
c:\windows\system32\msvgsq.exe
c:\windows\system32\msvgynmh.exe
c:\windows\system32\msvhin.exe
c:\windows\system32\msvhkiqo.exe
c:\windows\system32\msviyn.exe
c:\windows\system32\msvjfhq.exe
c:\windows\system32\msvjxoxg.exe
c:\windows\system32\msvklv.exe
c:\windows\system32\msvkrad.exe
c:\windows\system32\msvlhots.exe
c:\windows\system32\msvlw.exe
c:\windows\system32\msvlx.exe
c:\windows\system32\msvndth.exe
c:\windows\system32\msvnvp.exe
c:\windows\system32\msvoss.exe
c:\windows\system32\msvpqd.exe
c:\windows\system32\msvqcdh.exe
c:\windows\system32\msvqwcwq.exe
c:\windows\system32\msvreizw.exe
c:\windows\system32\msvrgrs.exe
c:\windows\system32\msvrii.exe
c:\windows\system32\msvrp.exe
c:\windows\system32\msvsag.exe
c:\windows\system32\msvspr.exe
c:\windows\system32\msvtltz.exe
c:\windows\system32\msvtsn.exe
c:\windows\system32\msvtwra.exe
c:\windows\system32\msvucu.exe
c:\windows\system32\msvusus.exe
c:\windows\system32\msvvgaf.exe
c:\windows\system32\msvwaudx.exe
c:\windows\system32\msvxqjgo.exe
c:\windows\system32\msvxwg.exe
c:\windows\system32\msvyvw.exe
c:\windows\system32\msvzhinw.exe
c:\windows\system32\mswccqjh.exe
c:\windows\system32\mswdbuzl.exe
c:\windows\system32\mswdouz.exe
c:\windows\system32\msweq.exe
c:\windows\system32\msweuaac.exe
c:\windows\system32\mswfuzx.exe
c:\windows\system32\mswhcnfy.exe
c:\windows\system32\mswhdvb.exe
c:\windows\system32\mswhucer.exe
c:\windows\system32\mswhvd.exe
c:\windows\system32\mswktzz.exe
c:\windows\system32\mswkxmh.exe
c:\windows\system32\mswlvcz.exe
c:\windows\system32\mswnqv.exe
c:\windows\system32\mswol.exe
c:\windows\system32\mswonzd.exe
c:\windows\system32\mswpdv.exe
c:\windows\system32\mswpgdha.exe
c:\windows\system32\mswrkwa.exe
c:\windows\system32\mswsljv.exe
c:\windows\system32\mswukcm.exe
c:\windows\system32\mswulomx.exe
c:\windows\system32\mswun.exe
c:\windows\system32\mswuw.exe
c:\windows\system32\mswuzkf.exe
c:\windows\system32\mswwcfz.exe
c:\windows\system32\mswwl.exe
c:\windows\system32\mswwuhjg.exe
c:\windows\system32\mswxowyz.exe
c:\windows\system32\mswycrll.exe
c:\windows\system32\mswyh.exe
c:\windows\system32\mswza.exe
c:\windows\system32\mswzpz.exe
c:\windows\system32\mswzzac.exe
c:\windows\system32\msxatxd.exe
c:\windows\system32\msxchzua.exe
c:\windows\system32\msxcn.exe
c:\windows\system32\msxcsmtb.exe
c:\windows\system32\msxcv.exe
c:\windows\system32\msxdhpz.exe
c:\windows\system32\msxdnzvd.exe
c:\windows\system32\msxdppj.exe
c:\windows\system32\msxdqckk.exe
c:\windows\system32\msxegpf.exe
c:\windows\system32\msxejkqk.exe
c:\windows\system32\msxeqwx.exe
c:\windows\system32\msxfoqzj.exe
c:\windows\system32\msxgdf.exe
c:\windows\system32\msxhdr.exe
c:\windows\system32\msxhjuu.exe
c:\windows\system32\msxhs.exe
c:\windows\system32\msxiazgq.exe
c:\windows\system32\msxjpf.exe
c:\windows\system32\msxka.exe
c:\windows\system32\msxkovns.exe
c:\windows\system32\msxlwuf.exe
c:\windows\system32\msxmgc.exe
c:\windows\system32\msxmkdbw.exe
c:\windows\system32\msxmqiw.exe
c:\windows\system32\msxmxp.exe
c:\windows\system32\msxnh.exe
c:\windows\system32\msxnk.exe
c:\windows\system32\msxpqy.exe
c:\windows\system32\msxpt.exe
c:\windows\system32\msxqjj.exe
c:\windows\system32\msxqs.exe
c:\windows\system32\msxre.exe
c:\windows\system32\msxsfc.exe
c:\windows\system32\msxsp.exe
c:\windows\system32\msxtytha.exe
c:\windows\system32\msxuumg.exe
c:\windows\system32\msxwdrwd.exe
c:\windows\system32\msxwqruj.exe
c:\windows\system32\msxwvltf.exe
c:\windows\system32\msxyyeth.exe
c:\windows\system32\msxzjxbq.exe
c:\windows\system32\msxzn.exe
c:\windows\system32\msxzoik.exe
c:\windows\system32\msxzprhu.exe
c:\windows\system32\msxzrme.exe
c:\windows\system32\msxzs.exe
c:\windows\system32\msxzukt.exe
c:\windows\system32\msyaav.exe
c:\windows\system32\msyelbne.exe
c:\windows\system32\msyewhry.exe
c:\windows\system32\msyfsbkg.exe
c:\windows\system32\msyfuo.exe
c:\windows\system32\msyheddj.exe
c:\windows\system32\msyjoicv.exe
c:\windows\system32\msykfcrl.exe
c:\windows\system32\msykg.exe
c:\windows\system32\msyklch.exe
c:\windows\system32\msykq.exe
c:\windows\system32\msyljgo.exe
c:\windows\system32\msylqp.exe
c:\windows\system32\msymnjg.exe
c:\windows\system32\msynf.exe
c:\windows\system32\msynth.exe
c:\windows\system32\msypqgay.exe
c:\windows\system32\msyqd.exe
c:\windows\system32\msyqz.exe
c:\windows\system32\msyrql.exe
c:\windows\system32\msyuam.exe
c:\windows\system32\msyuzhi.exe
c:\windows\system32\msyvo.exe
c:\windows\system32\msywan.exe
c:\windows\system32\msyyy.exe
c:\windows\system32\mszaw.exe
c:\windows\system32\mszdrw.exe
c:\windows\system32\mszfabsw.exe
c:\windows\system32\mszfdr.exe
c:\windows\system32\mszfi.exe
c:\windows\system32\msziy.exe
c:\windows\system32\mszjw.exe
c:\windows\system32\mszkrce.exe
c:\windows\system32\mszkslyy.exe
c:\windows\system32\mszlw.exe
c:\windows\system32\mszmowz.exe
c:\windows\system32\msznd.exe
c:\windows\system32\mszogms.exe
c:\windows\system32\mszohxc.exe
c:\windows\system32\mszppl.exe
c:\windows\system32\mszqtv.exe
c:\windows\system32\mszrclbu.exe
c:\windows\system32\mszsfmn.exe
c:\windows\system32\msztimyv.exe
c:\windows\system32\mszuftnw.exe
c:\windows\system32\mszuja.exe
c:\windows\system32\mszvqgjk.exe
c:\windows\system32\mszvvbl.exe
c:\windows\system32\mszwoxh.exe
c:\windows\system32\mszwr.exe
c:\windows\system32\mszwrfpf.exe
c:\windows\system32\mszwtbxw.exe
c:\windows\system32\mszwwtq.exe
c:\windows\system32\mszxico.exe
c:\windows\system32\mszyzvi.exe
c:\windows\system32\mszzdj.exe
c:\windows\system32\mszzldm.exe
c:\windows\system32\mszzq.exe
c:\windows\system32\mxinxvl.dll
c:\windows\system32\netcard.sys
c:\windows\system32\pitrdeb.dll
c:\windows\system32\wjuzjqtl.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Çý¶¯/·þÎñ )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruilloyxjex
-------\Legacy_hjgruilloyxjex
-------\Legacy_6TO4
-------\Legacy_ATDDIZBB
-------\Legacy_IAS
-------\Legacy_MSUPDATE
-------\Legacy_NETCARD
-------\Legacy_OWZZWTTY
-------\Service_6to4
-------\Service_atddizbb
-------\Service_Ias
-------\Service_msupdate
-------\Service_netcard
-------\Service_owzzwtty


((((((((((((((((((((((((( 2009-07-14 ÖÁ 2009-08-14 µÄеĵµ°¸ )))))))))))))))))))))))))))))))
.

2009-08-13 12:18 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 16:26 . 2009-08-11 16:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-11 16:20 . 2009-08-11 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-08-11 16:20 . 2009-08-11 16:27 -------- d-----w- c:\program files\RegCure
2009-08-09 12:30 . 2009-08-12 16:15 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-07 11:46 . 2009-08-07 11:46 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-08-07 11:45 . 2009-08-07 11:45 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-08-07 11:38 . 2009-08-07 11:38 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-08-07 11:38 . 2009-08-07 11:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-07 11:25 . 2009-08-07 11:25 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-07 11:25 . 2009-08-07 11:25 -------- d-----w- c:\program files\MSBuild
2009-08-07 11:24 . 2009-08-07 11:24 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 11:24 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 11:24 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 11:24 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 11:24 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 11:24 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 11:24 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 11:24 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 11:23 . 2009-08-07 11:36 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-07 11:18 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-07 11:18 . 2009-07-19 10:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-07 11:18 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-07 11:18 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-07 11:18 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-07 11:18 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-07 11:18 . 2009-08-07 11:18 -------- d-----w- c:\windows\ie8updates
2009-08-07 11:18 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-07 11:16 . 2009-08-07 11:17 -------- dc-h--w- c:\windows\ie8
2009-08-07 10:03 . 2009-08-09 16:29 -------- d-----w- c:\program files\Warcraft Version Switcher
2009-08-05 16:41 . 2009-08-05 16:41 -------- d-----w- c:\program files\Trend Micro
2009-08-05 16:04 . 2009-08-05 16:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-05 16:04 . 2009-08-05 16:04 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-05 16:04 . 2009-08-05 16:04 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 16:04 . 2009-08-05 16:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 16:03 . 2009-08-11 15:26 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-05 16:03 . 2009-08-11 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 15:57 . 2009-08-05 15:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-05 15:01 . 2009-08-05 15:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Live Writer
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 15:25 . 2009-08-02 15:25 -------- d-----w- c:\program files\Eidos
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸öÔÂÄÚ±»Ð޸ĵĵµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 13:24 . 1987-11-13 03:56 -------- d-----w- c:\program files\FlashGet
2009-08-09 17:27 . 2007-07-24 04:59 63792 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 08:59 . 2007-09-25 05:49 2684 ----a-w- c:\windows\War3Unin.dat
2009-08-05 09:01 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 16:57 . 2007-07-23 07:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-03 02:57 . 2009-07-08 14:55 -------- d-----w- c:\program files\CM2008 Editor
2009-07-19 13:26 . 2007-07-25 06:03 31 ----a-w- c:\windows\popcinfo.dat
2009-07-17 19:01 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 09:18 . 2009-07-15 09:18 -------- d-----w- c:\program files\AVG
2009-07-15 07:19 . 2009-07-15 07:19 18528 ----a-w- c:\windows\system32\drivers\llo62a0.sys
2009-07-15 04:38 . 2009-07-15 04:38 -------- d-----w- c:\documents and settings\user\Application Data\cqwqquqo
2009-07-15 04:33 . 2009-07-15 04:33 -------- d-----w- c:\documents and settings\NetworkService\Application Data\cqwqquqo
2009-07-13 15:43 . 2004-08-04 04:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-07 15:35 . 2009-07-07 15:35 -------- d--h--r- c:\documents and settings\user\Application Data\SecuROM
2009-07-07 15:35 . 2009-07-07 15:35 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-07 15:31 . 1987-11-13 03:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 17:09 . 2004-08-04 04:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2009-06-26 16:50 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-22 05:10 . 1987-11-13 03:59 -------- d-----w- c:\program files\Java
2009-06-22 05:10 . 2009-06-22 05:10 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-18 08:02 . 2009-06-18 08:02 390664 ----a-w- c:\documents and settings\yying\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-16 14:36 . 2004-08-07 00:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 04:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 04:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 04:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 04:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 04:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 01:19 . 1987-11-13 03:18 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:09 . 2004-08-04 04:56 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 03:33 . 2009-04-24 09:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-17 07:43 . 2009-05-17 07:43 390664 ----a-w- c:\documents and settings\user\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
.

((((((((((((((((((((((((((((((((((((( ÖØÒªµÇÈëµã ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*×¢Òâ* ¿Õ°×ÓëºÏ·¨È±Ê¡µÇ¼½«²»»á±»ÏÔʾ
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-05 1948440]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTaskGrouping"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-05 16:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"UTSCSI"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"msupdate"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Darkness"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\user\\Desktop\\garena\\Garena.exe"=
"c:\\Program Files\\Chinese Star XP\\CStar.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6891:UDP"= 6891:UDP:MSN UDP
"6891:TCP"= 6891:TCP:MSN TCP
"26026:TCP"= 26026:TCP:flashget tcp
"6112:UDP"= 6112:UDP:warcraft udp
"6112:TCP"= 6112:TCP:warcraft tcp
"26026:UDP"= 26026:UDP:flashget udp

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/6/2009 12:04 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/6/2009 12:04 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/6/2009 12:03 AM 298776]
S1 llo62a0;llo62a0;c:\windows\system32\drivers\llo62a0.sys [7/15/2009 3:19 PM 18528]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\user\LOCALS~1\Temp\FDI75.tmp --> c:\docume~1\user\LOCALS~1\Temp\FDI75.tmp [?]
S4 Darkness;Darkness;c:\windows\system\svchost.exe --> c:\windows\system\svchost.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
¡®¼Æ»®ÈÎÎñ¡¯ Îļþ¼Ð ÀïµÄÄÚÈÝ

2009-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 05:42]

2009-08-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 09:39]

2009-08-14 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-08-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 09:04]

2009-08-14 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-14 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-11 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
- - - - ORPHANS REMOVED - - - -

BHO-{01E62567-7C25-461A-8304-2FF4C6D54189} - c:\windows\system32\wjuzjqtl.dll
BHO-{020727F8-D36A-4703-9953-51FE412E1BA5} - (no file)
BHO-{03CC4ACE-7C25-461A-8304-2FF4C6D54189} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- ¶øÍâµÄɨÃè -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-my\msntabres.dll.mui/229?1f08787308a74bc38b87c28129125518
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-my\msntabres.dll.mui/230?1f08787308a74bc38b87c28129125518
DPF: {5D6F45B3-9043-443D-A792-115447494D24}
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\9uj4qyr9.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npitunes.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npnul32.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\MOZILL~1\plugins\nppdf32.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\NPSWF32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 22:11
Windows 5.1.2600 Service Pack 3 NTFS

ɨÃè±»Òþ²ØµÄ½ø³Ì ¡£¡£¡£

ɨÃè±»Òþ²ØµÄÆô¶¯×é ¡£¡£¡£

ɨÃè±»Òþ²ØµÄÎļþ ¡£¡£¡£

ɨÃèÍê³É
±»Òþ²ØµÄµµ°¸: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\user\LOCALS~1\Temp\FDI75.tmp"
.
--------------------- ÔËÐнø³ÌϵĶ¯Ì¬Á´½Ó¿â ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ ÆäËûÔËÐнø³Ì ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Íê³Éʱ¼ä: 2009-08-14 22:19 - µçÄÔÒÑÖØÐÂÆô¶¯
ComboFix-quarantined-files.txt 2009-08-14 14:19

Pre-Run: 12,437,807,104 bytes free
Post-Run: 12,350,197,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NoExecute=AlwaysOff /NOPAE /fastdetect

1230 --- E O F --- 2009-08-13 14:06

Attached Files



#6 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 15 August 2009 - 10:20 AM

laven,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://forums.whatth...562#entry587562

Collect::
c:\windows\system32\drivers\llo62a0.sys

Folder::
c:\documents and settings\user\Application Data\cqwqquqo
c:\documents and settings\NetworkService\Application Data\cqwqquqo

Driver::
llo62a0


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

- - - - - Next - - - - -

Please download Malwarebytes' Anti-Malware from here or here

Double Click mbam-setup.exe to install the application.
  • Make sure a check mark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.< < Don't forget this!
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
    (The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.)
  • Copy and Paste the entire report in your next reply.
- - - - - Next - - - - -

I'd like for you to run this Kaspersky Online Scan
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.
Animated tutorial
http://i275.photobuc...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%
.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419

Reboot, on your next post please provide the following:
  • ComboFix.txt log
  • MalwareBytes log
  • Kaspersky scan results
  • Tell me how your computer is running at the moment.


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#7 laven

laven

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 18 August 2009 - 08:10 AM

Hi OCD, Sorry for the delay. Had not been successful in executing the Kaspersky online scanner. Performed a scan last night, hang after scanning for over 3hrs, wasted my efforts. Anyway, I had performed scan at certain folders which contained the most threats. Do refer to the text files attached. Targetting to scan tomorrow night if my schedule permits. Now my PC does not encounter the services fault mentioned previously. Did you wrote anything magic on that script? Many thanks!

Attached Files



#8 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 19 August 2009 - 08:12 PM

laven,

Be advised that MBAM found a Backdoor.Bot and as a precaution you should change your passwords.
We will also be cleaning up the quarantine file in qoobox before we are finished.

- - - - - Next - - - - -

Please try this other online scanner.: Eset Online Scanner
You will need Internet Explorer to run this scan.

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
- - - - - Next - - - - -

Please re-run DDS and provide a new log. (run the new DDS scan after the ESET scan please)

Reboot, on your next post please provide the following:
  • ESET log.txt
  • DDS.txt


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#9 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 22 August 2009 - 09:59 PM

Hello laven,

It's been a few days, I was just checking to see if you still needed assistance?


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#10 laven

laven

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 23 August 2009 - 09:27 AM

Hi OCD, I am still trying to perform the Eset Online Scanner. Tried couple of times, yet unable to initialize the application. Been busy past few days, probably will be able to post next week. Appreciate your constant follow up.

#11 laven

laven

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 24 August 2009 - 10:00 AM

Hi OCD, Managed to perform a Kaspersky Online Scan, but breakdown to individual drives. Also ran a DDS. Please refer to the attached, let me know what needs to be performed next. Sorry for taking too much of your time. Thanks.

Attached Files



#12 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 26 August 2009 - 06:17 AM

laven,

Please locate the file in red and delete it. Please be sure to only delete the file that is designated.
(Not the folder they are contained in)

  • C:\Program Files\Trend Micro\HijackThis\backups\backup-20090807-004739-830.dll
- - - - - Next - - - - -

We have a few items to take care of before my All Clean Speech.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
Posted Image

The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.
- - - - - Next - - - - -

You can delete the tools we downloaded: (both should be located on your desktop)
  • DDS
  • GMER
- - - - - Next - - - - -

You have old Java installed.
Please follow these steps to remove older version Java components.
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
    • Java 2 Runtime Environment, SE v1.4.2_06
    • Java™ 6 Update 3
    • Java™ 6 Update 5
    • Java™ 6 Update 7
    • Java™ SE Runtime Environment 6 Update 1
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
- - - - - Next - - - - -

To clean out your old temp files:

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
- - - - - Next - - - - -

You don't appear to have a third party firewall installed, please consider one of these:

Please download one (1) of the firewalls below.

Firewall:
- - - - - Next - - - - -

Visit ADOBEand download the latest version of Acrobat Reader (version 9.1)
Having the latest updates ensures there are no security vulnerabilities in your system.

- - - - - Next - - - - -

Here comes the "All Clean Speech":

Now that your log is clean, you need to set a new clean System Restore Point

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
We need to set a new system restore point:

Click Start > Run > copy and paste the following into the run box:


%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create,
when the confirmation screen shows the restore point has been created click Close.

Now remove all previous Restore Points:

Click Start > Run > copy and paste the following into the run box:


cleanmgr

At the top, click on More Options tab. Click the Clean up button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.

- - - - - Next - - - - -

Here are some tips to reduce the potential for spyware infection in the future:

Automatic Updates:

The easiest way to ensure you don't miss any of the critical Windows Updates is to set your computer up to receive Automatic Updates.
To set your computer up for Automatic Updates please do the following:
  • Click Start, and then click Control Panel.
  • Depending on which Control Panel view you use, Classic or Category, do one of the following:
  • Click System, and then click the Automatic Updates tab.
  • Click Performance and Maintenance, click System, and then click the Automatic Updates tab.
  • Select Automatic and choose a frequency and time that's convenient for you to get the updates.
  • Click Apply, then OK
  • Close the Control Panel.
- - - - - Next - - - - -

Make your Internet Explorer more secure - This can be done by following these simple instructions:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

You are using AVG8 as your anti virus software. It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Which Firewall are you using? I cannot stress how important it is that you keep the Firewall on your computer active at all times. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

Update all security programs regularly - Make sure you update all the programs regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Remember to have only one (1) Firewall and one (1) Anti-Virus program running at any one time.

I would also suggest you read "So how did I get infected in the first place"?: by Tony Klein

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#13 laven

laven

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 27 August 2009 - 05:49 AM

Hi OCD, Thanks for all the great help and advices these 2 weeks. Very glad to know that my PC is cleaned of any infections now. Do mark this thread as closed and resolved. Thanks again.

#14 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 27 August 2009 - 11:05 AM

Hi laven,

Glad I was able to help.

Have a great day. :thumbup:


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.


#15 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 27 August 2009 - 11:20 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users