Seite 1 von 3 123 LetzteLetzte
Ergebnis 1 bis 10 von 24

Thema: HJT log + i have delself on desktop

  1. #1
    Einsteiger
    Registriert seit
    15.07.2008
    Beiträge
    12

    HJT log + i have delself on desktop

    Hi, I am pasting this from another thread I made (in another forum). I posted it about a week already with no reply so I'm hoping to get help here:

    I ran Combo-Fix then it gave me a message that some files had been removed/replaced, I guess they were corrupted, it asked to insert the Windows XP cd but it rebooted after a while by itself ( I didn't have the CD anyways). Windows started up fine but then I got these two message boxes which I think are the files affected (or there are probably more):


    Notice the "delself"file remains in the desktop so hopefully someone can help me out. I will paste both Combo-fix and Hijackthis log. sorry if it's a long thread. I was finally able to open HijackThis after Combo-Fix rebooted the system so I'm posting it because I think it will help/be informative.

    ComboFix 08-07-07.3 - Cindy Colon 2008-07-11 14:50:48.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.280 [GMT -7:00]
    Running from: C:\Documents and Settings\Cindy Colon\Desktop\Combo-Fix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\dllcache\beep.sys
    C:\WINDOWS\system32\drivers\beep.sys
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\All Users\Application Data\Rabio
    C:\Documents and Settings\Cindy Colon\My Documents\MBOLS~1
    C:\Documents and Settings\Cindy Colon\My Documents\MBOLS~1\??mbols\
    C:\Documents and Settings\Cindy Colon\My Documents\MBOLS~1\spool32.exe
    C:\Documents and Settings\Cindy Colon\Start Menu\Programs\Internet Speed Monitor
    C:\Documents and Settings\Cindy Colon\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
    C:\Documents and Settings\Cindy Colon\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
    C:\Documents and Settings\LocalService\Application Data\NetMon
    C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
    C:\Documents and Settings\NetworkService\Application Data\NetMon
    C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
    C:\Program Files\ISM
    C:\Program Files\ISM\ism.exe
    C:\Program Files\ISM\Uninstall.exe
    C:\Program Files\network monitor
    C:\Program Files\network monitor\netmon.exe
    C:\Program Files\QdrDrive
    C:\Program Files\QdrDrive\QdrDrive15.dll
    C:\Program Files\QdrDrive\qdrloader.exe
    C:\Program Files\QdrModule
    C:\Program Files\QdrModule\dicy.gz
    C:\Program Files\QdrModule\kwdy.gz
    C:\Program Files\QdrModule\pckr.dat
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\Program Files\QdrModule\softyadsupdate.exe
    C:\Program Files\QdrPack
    C:\Program Files\QdrPack\dicts.gz
    C:\Program Files\QdrPack\dsmupd.exe
    C:\Program Files\QdrPack\QdrPack15.exe
    C:\Program Files\QdrPack\trgts.gz
    C:\Program Files\RcvSystem
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\temp\tn3
    C:\WINDOWS\123messenger.per
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\2020search2.dll
    C:\WINDOWS\444.470
    C:\WINDOWS\apphelp32.dll
    C:\WINDOWS\asferror32.dll
    C:\WINDOWS\asycfilt32.dll
    C:\WINDOWS\athprxy32.dll
    C:\WINDOWS\ati2dvaa32.dll
    C:\WINDOWS\ati2dvag32.dll
    C:\WINDOWS\audiosrv32.dll
    C:\WINDOWS\autodisc32.dll
    C:\WINDOWS\avifile32.dll
    C:\WINDOWS\avisynthex32.dll
    C:\WINDOWS\aviwrap32.dll
    C:\WINDOWS\bjam.dll
    C:\WINDOWS\BM7bf71f46.txt
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\braviax.exe
    C:\WINDOWS\browserad.dll
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\changeurl_30.dll
    C:\WINDOWS\conf.inf
    C:\WINDOWS\cru629.dat
    C:\WINDOWS\default.htm
    C:\WINDOWS\didduid.ini
    C:\WINDOWS\ky.sxc
    C:\WINDOWS\lfn.exe
    C:\WINDOWS\licencia.txt
    C:\WINDOWS\mainms.vpi
    C:\WINDOWS\megavid.cdt
    C:\WINDOWS\msa64chk.dll
    C:\WINDOWS\msapasrc.dll
    C:\WINDOWS\mscon.sio
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\mssvr.exe
    C:\WINDOWS\muotr.so
    C:\WINDOWS\ntnut.exe
    C:\WINDOWS\PerfInfo
    C:\WINDOWS\PerfInfo\G7FO2bsDfwwp.exe
    C:\WINDOWS\portsv.exe
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\shdocpe.dll
    C:\WINDOWS\shdocpl.dll
    C:\WINDOWS\stcloader.exe
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\000080.exe
    C:\WINDOWS\system32\braviax.exe
    C:\WINDOWS\system32\clbdll.dll
    C:\WINDOWS\system32\clbdll.old
    C:\WINDOWS\system32\clbinit.dll
    C:\WINDOWS\system32\cLnqBeNn.ini
    C:\WINDOWS\system32\cLnqBeNn.ini2
    C:\WINDOWS\system32\cru629.dat
    C:\WINDOWS\system32\drivers\clbdriver.sys
    C:\WINDOWS\system32\drivers\ndiswann.sys
    C:\WINDOWS\system32\fezfwc.dll
    C:\WINDOWS\system32\gside.exe
    C:\WINDOWS\system32\hdiytugf.dll
    C:\WINDOWS\system32\hnogixqq.dll
    C:\WINDOWS\system32\ljJDUnki.dll
    C:\WINDOWS\system32\MSINET.oca
    C:\WINDOWS\system32\msnav32.ax
    C:\WINDOWS\system32\nNeBqnLc.dll
    C:\WINDOWS\system32\nuqdtwmd.ini
    C:\WINDOWS\system32\ogrdtxsf.dll
    C:\WINDOWS\system32\ojagraxb.dll
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\psAHkUvw.ini
    C:\WINDOWS\system32\psAHkUvw.ini2
    C:\WINDOWS\system32\qcntrtdm.exe
    C:\WINDOWS\system32\RCLlmnnn.ini
    C:\WINDOWS\system32\RCLlmnnn.ini2
    C:\WINDOWS\system32\rwwnw64d.exe
    C:\WINDOWS\system32\winfrun32.bin
    C:\WINDOWS\system32\winivstr.exe
    C:\WINDOWS\system32\winpfz33.sys
    C:\WINDOWS\system32\zxdnt3d.cfg
    C:\WINDOWS\telefonos.txt
    C:\WINDOWS\textos.txt
    C:\WINDOWS\voiceip.dll
    C:\WINDOWS\winsb.dll
    C:\WINDOWS\winself.exe
    C:\WINDOWS\wintst32.tmp

    ----- BITS: Possible infected sites -----

    hxxp://80.93.48.74
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_CLBDRIVER
    -------\Legacy_MSSECURITY1.209.4
    -------\Legacy_MSSYSINTERV1
    -------\Legacy_NDISWANN
    -------\Legacy_NETWORK_MONITOR
    -------\Service_MsSecurity1.209.4
    -------\Service_MSSysInterv1
    -------\Service_ndiswann
    -------\Service_Network Monitor
    -------\Service_PlugPlayRPC


    ((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
    .

    2008-07-11 14:39 . 2008-07-11 14:40 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-11 14:15 . 2008-07-11 14:26 <DIR> d-------- C:\fixwareout
    2008-07-10 21:12 . 2008-07-10 21:13 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-07-10 19:49 . 2008-07-10 19:49 49,176 --a------ C:\WINDOWS\system32\rrwnw64n.exe
    2008-07-10 19:46 . 2008-07-10 19:46 <DIR> d--hs---- C:\WINDOWS\Q2luZHk
    2008-07-10 19:46 . 2008-07-10 19:46 167,976 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
    2008-07-10 19:46 . 2008-07-10 19:46 55,808 --a------ C:\WINDOWS\yoursearchnet_com.exe
    2008-07-10 19:46 . 2008-07-10 19:46 41,984 --a------ C:\WINDOWS\mrofinu1000106.exe
    2008-07-10 19:46 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
    2008-07-10 19:45 . 2008-07-10 19:45 <DIR> d-------- C:\WINDOWS\system32\tfig
    2008-07-10 19:45 . 2008-07-10 19:45 <DIR> d-------- C:\WINDOWS\system32\olixds01
    2008-07-10 19:45 . 2008-07-10 19:45 <DIR> d-------- C:\WINDOWS\system32\net
    2008-07-10 19:45 . 2008-07-10 19:45 <DIR> d-------- C:\WINDOWS\system32\cREG
    2008-07-10 19:45 . 2008-07-10 19:45 <DIR> d-------- C:\WINDOWS\system32\1030
    2008-07-10 19:45 . 2008-07-10 19:45 <DIR> d-------- C:\Temp\stmpv4
    2008-07-10 19:45 . 2008-07-11 14:55 <DIR> d-------- C:\Temp
    2008-07-10 19:45 . 2008-07-10 19:45 41,984 --a------ C:\WINDOWS\mrofinu572.exe
    2008-07-10 19:45 . 2008-07-10 19:45 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
    2008-07-10 19:45 . 2008-07-10 19:45 25,888 --a------ C:\WINDOWS\system32\vtUlKDts.dll
    2008-07-10 19:45 . 2008-07-10 19:45 25,888 --a------ C:\WINDOWS\system32\khfGyayv.dll
    2008-07-10 19:40 . 2008-07-10 19:40 <DIR> d-------- C:\WINDOWS\Sun
    2008-07-10 19:32 . 2008-07-10 19:32 <DIR> d-------- C:\Program Files\qgrgvob
    2008-07-10 19:28 . 2008-07-10 19:28 37,376 --a------ C:\Twb5.exe
    2008-07-09 13:04 . 2008-07-09 13:04 37,888 --a------ C:\WINDOWS\system32\emmmfkmo.exe
    2008-07-09 13:02 . 2008-07-11 14:25 <DIR> d-------- C:\WINDOWS\system32\4466
    2008-07-09 13:01 . 2003-04-15 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
    2008-07-09 12:59 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
    2008-07-09 12:59 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
    2008-07-09 12:59 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
    2008-07-09 12:58 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
    2008-07-09 12:55 . 2008-07-09 12:55 <DIR> d-------- C:\Program Files\iCheck
    2008-07-09 12:55 . 2008-07-09 12:56 <DIR> d-------- C:\Program Files\GetPack
    2008-07-09 12:55 . 2008-07-11 14:28 <DIR> d-------- C:\Program Files\GetModule
    2008-07-04 22:05 . 2008-07-04 22:05 32,768 --a------ C:\WINDOWS\system32\olixds01\olixds011065.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-10 02:43 --------- d-----w C:\Program Files\Common Files\Motive
    2008-07-10 02:42 --------- d-----w C:\Program Files\SBC Self Support Tool
    2008-07-09 20:03 --------- d-----w C:\Documents and Settings\Cindy Colon\Application Data\LimeWire
    2008-04-13 17:17 70,144 ----a-w C:\WINDOWS\snmdovqv.dll
    2008-04-13 17:17 70,144 ----a-w C:\Documents and Settings\All Users\Application Data\mhixwxkx.dll
    2008-04-13 17:17 196,096 ----a-w C:\WINDOWS\hgvehqlw.dll
    2008-04-13 17:17 110,592 ----a-w C:\WINDOWS\system32\tehobivw.exe
    2008-04-13 17:15 41,724 --sh--w C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
    2008-04-11 19:44 187,904 --sh--w C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
    2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
    2005-08-02 23:46 187,904 --sha-r C:\WINDOWS\Q2luZHk\asappsrv.dll
    2005-08-02 23:58 293,888 --sha-r C:\WINDOWS\Q2luZHk\command.exe
    2005-07-29 23:24 472 --sha-r C:\WINDOWS\Q2luZHk\kZ5RtJ4.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run]
    "xfoamwny"="C:\WINDOWS\system32\tehobivw.exe" [2008-04-13 10:17 110592]
    "GetPack19"="C:\Program Files\GetPack\GetPack19.exe" [2008-06-17 02:56 350208]
    "GetModule19"="C:\Program Files\GetModule\GetModule19.exe" [2008-06-17 02:58 351744]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 21:51 110592]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 21:44 610304]
    "LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2003-05-12 14:28 32768]
    "HotkeyApp"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2003-09-24 13:53 40960]
    "CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
    "LMgrPanelICON"="C:\Program Files\Launch Manager\PanelICON.exe" [2003-09-24 16:37 36864]
    "Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2003-09-12 15:24 65536]
    "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02 57344]
    "Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
    "CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-04-10 00:16 230512]
    "CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-04-10 00:16 185456]
    "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 19:49 397312]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
    "{42-2C-C7-75-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-07-11 15:21 49193]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 07:53 88363 C:\WINDOWS\AGRSMMSG.exe]
    "SoundMan"="SOUNDMAN.EXE" [2003-08-15 14:34 57344 C:\WINDOWS\SOUNDMAN.EXE]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ShellServiceObjectDelayLoad]
    "ShSmart"= {1954757B-20F7-672E-EF54-00D06EB72E5D} - C:\Program Files\qgrgvob\ShSmart.dll [2008-07-10 19:32 102400]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1 [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    --a------ 2003-06-25 15:30 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    -ra------ 2001-07-09 03:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    --a------ 2001-09-04 15:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\stand ardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\stand ardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=

    R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
    S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-BM7bf71f46 - C:\WINDOWS\system32\hdiytugf.dll


    ************************************************************ **************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-11 15:19:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\WINDOWS\system32\rwwnw64d.exe 49193 bytes executable
    C:\WINDOWS\system32\msnav32.ax 40 bytes

    scan completed successfully
    hidden files: 2

    ************************************************************ **************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Yahoo!\Antivirus\iSafe.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\rundll32.exe
    .
    ************************************************************ **************
    .
    Completion time: 2008-07-11 15:22:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-07-11 22:22:24

    Pre-Run: 34,364,342,272 bytes free
    Post-Run: 34,342,932,480 bytes free

    286


    HijackThis Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:29:04 PM, on 7/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Launch Manager\LaunchAp.exe
    C:\Program Files\Launch Manager\HotkeyApp.exe
    C:\Program Files\Launch Manager\PanelICON.exe
    C:\Program Files\Launch Manager\Wbutton.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\tehobivw.exe
    C:\Program Files\GetPack\GetPack19.exe
    C:\Program Files\GetModule\GetModule19.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\rundll32.exe
    c:\windows\system32\rwwnw64d.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\jimmy\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
    O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
    O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
    O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
    O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [{42-2C-C7-75-DW}] c:\windows\system32\rwwnw64d.exe DWram02YB
    O4 - HKCU\..\Run: [xfoamwny] C:\WINDOWS\system32\tehobivw.exe
    O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
    O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
    O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
    O4 - Startup: Deewoo.lnk = C:\QooBox\Quarantine\C\WINDOWS\system32\qcntrtdm.exe.vir
    O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144655284394
    O21 - SSODL: ShSmart - {1954757B-20F7-672E-EF54-00D06EB72E5D} - C:\Program Files\qgrgvob\ShSmart.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

    --
    End of file - 5439 bytes

    Appreciate any help.

  2. #2
    Moderator (global) Team-Mitglied Avatar von Jintan
    Registriert seit
    25.11.2006
    Beiträge
    6.369

    Re: HJT log + i have delself on desktop

    Darn N-ee, other than a welcome to HijackThis.de, you know ComboFix warned you not to run it like that. And gave stats on computers not rebooting - given the looks of the ComboFix log I am surprised you could. Before any other changes are made we need to assess the status of a necessary system file, which ComboFix was also indicating a need to retrieve from a CD. Be prepared to at least borrow an XP SP2 CD, or maybe even get files from another same version computer. We'll see.

    I will need you to return to the other forum post, and let them know you are receiving assistance elsewhere. A limited number of people doing this assistance, and we don't want them using extra time when it can be used for someone else.


    Go to Start > Run and type:

    cmd.exe

    and ok. Copy and paste the below string after the prompt >

    dir /s /a "c:\beep*.*" > c:\find.txt & start notepad c:\find.txt

    Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
    Lebe den Tag!

    Jintan - Die Marke, bei der alles stimmt!

  3. #3
    Einsteiger
    Registriert seit
    15.07.2008
    Beiträge
    12

    Re: HJT log + i have delself on desktop

    Ok, I left a reply that I'm getting help already.

    Here's the Notepad info, hope I did it right:

    Volume in drive C has no label.
    Volume Serial Number is 78C4-2C75

    Directory of c:\Program Files\Yahoo!\Messenger\Media\RingTones

    04/12/2005 12:55 PM 11,764 beep.wav
    1 File(s) 11,764 bytes

    Directory of c:\QooBox\Quarantine\C\WINDOWS\system32\dllcache

    07/10/2008 07:28 PM 26,624 beep.sys.vir
    1 File(s) 26,624 bytes

    Directory of c:\QooBox\Quarantine\C\WINDOWS\system32\drivers

    07/10/2008 07:28 PM 26,624 beep.sys.vir
    1 File(s) 26,624 bytes

    Directory of c:\WINDOWS\system32

    04/15/2003 06:00 AM 4,224 beep.sys
    1 File(s) 4,224 bytes

    Total Files Listed:
    4 File(s) 69,236 bytes
    0 Dir(s) 34,366,078,976 bytes free

  4. #4
    Moderator (global) Team-Mitglied Avatar von Jintan
    Registriert seit
    25.11.2006
    Beiträge
    6.369

    Re: HJT log + i have delself on desktop

    ComboFix removed the bad beep.sys files, but you do have one of what shows as a good copy there. Let's return that, then see about more repairs.


    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


    Go to Start - Run, type notepad (and Enter). In the open textbox copy/paste the following.
    Code:
    @ECHO OFF
    cd\
    copy c:\WINDOWS\system32\beep.sys c:\windows\system32\drivers
    copy c:\WINDOWS\system32\beep.sys C:\WINDOWS\system32\dllcache
    exit
    Then name this "renner.bat" being sure to include the "" quotes in the name, and save it to your desktop (Important!).


    Then open Task Manager (Ctrl - Alt - Delete), and under the Processes tab locate and click to hilight explorer.exe. Then click End Process (and OK the warning).

    This will cause your desktop to disappear.


    Still in Task Manager go to File - New Task, and type in the following (then press OK):

    %userprofile%\desktop\renner.bat

    A window will open then close quickly - this is normal. Then again still in Task Manager go to File - New Task, and type explorer (and OK). This will return the desktop. Then close Task Manager.

    --------------------------

    Then you will want to print or have other access to a copy of the next steps, as some will be done without net access or in Safe Mode.


    Download SDFix.exe and save it to your desktop.

    Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

    ===================================================


    Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


    In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

    Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

    When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

    Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

    =============================

    After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.

    Double Click mbam-setup.exe to install the application.

    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

    ============================

    Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Extra Log, uncheck all the boxes except this one:

    Security Center

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

    Post that along with the Malwarebytes log and the SDFix report.txt log please.
    Lebe den Tag!

    Jintan - Die Marke, bei der alles stimmt!

  5. #5
    Einsteiger
    Registriert seit
    15.07.2008
    Beiträge
    12

    Re: HJT log + i have delself on desktop

    I am down to the dss.exe step. It's not on my desktop. Where do I find it/get it from?

  6. #6
    Moderator (global) Team-Mitglied Avatar von Jintan
    Registriert seit
    25.11.2006
    Beiträge
    6.369

    Re: HJT log + i have delself on desktop

    Sorry. Habit - I forgot you started your own repairs here. The missing step for that, which will be slightly different from the other:


    Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

    Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Options, place a check next to the following:

    Backup Registry Hives

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

    Post those along with the Malwarebytes log and the SDFix report.txt log please.
    Lebe den Tag!

    Jintan - Die Marke, bei der alles stimmt!

  7. #7
    Einsteiger
    Registriert seit
    15.07.2008
    Beiträge
    12

    Re: HJT log + i have delself on desktop

    SDFix report:

    SDFix: Version 1.205
    Run by Cindy Colon on Wed 07/16/2008 at 07:16 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\cuawsppw\1.png - Deleted
    C:\WINDOWS\cuawsppw\2.png - Deleted
    C:\WINDOWS\cuawsppw\3.png - Deleted
    C:\WINDOWS\cuawsppw\4.png - Deleted
    C:\WINDOWS\cuawsppw\5.png - Deleted
    C:\WINDOWS\cuawsppw\6.png - Deleted
    C:\WINDOWS\cuawsppw\7.png - Deleted
    C:\WINDOWS\cuawsppw\8.png - Deleted
    C:\WINDOWS\cuawsppw\9.png - Deleted
    C:\WINDOWS\cuawsppw\bottom-rc.gif - Deleted
    C:\WINDOWS\cuawsppw\config.png - Deleted
    C:\WINDOWS\cuawsppw\content.png - Deleted
    C:\WINDOWS\cuawsppw\download.gif - Deleted
    C:\WINDOWS\cuawsppw\frame-bg.gif - Deleted
    C:\WINDOWS\cuawsppw\frame-bottom-left.gif - Deleted
    C:\WINDOWS\cuawsppw\frame-h1bg.gif - Deleted
    C:\WINDOWS\cuawsppw\head.png - Deleted
    C:\WINDOWS\cuawsppw\icon.png - Deleted
    C:\WINDOWS\cuawsppw\indexwp.html - Deleted
    C:\WINDOWS\cuawsppw\main.css - Deleted
    C:\WINDOWS\cuawsppw\memory-prots.png - Deleted
    C:\WINDOWS\cuawsppw\net.png - Deleted
    C:\WINDOWS\cuawsppw\pc.gif - Deleted
    C:\WINDOWS\cuawsppw\pc-mag.gif - Deleted
    C:\WINDOWS\cuawsppw\poloska1.png - Deleted
    C:\WINDOWS\cuawsppw\poloska2.png - Deleted
    C:\WINDOWS\cuawsppw\poloska3.png - Deleted
    C:\WINDOWS\cuawsppw\promowp1.html - Deleted
    C:\WINDOWS\cuawsppw\promowp2.html - Deleted
    C:\WINDOWS\cuawsppw\promowp3.html - Deleted
    C:\WINDOWS\cuawsppw\promowp4.html - Deleted
    C:\WINDOWS\cuawsppw\promowp5.html - Deleted
    C:\WINDOWS\cuawsppw\reg.png - Deleted
    C:\WINDOWS\cuawsppw\repair.png - Deleted
    C:\WINDOWS\cuawsppw\scr-1.png - Deleted
    C:\WINDOWS\cuawsppw\scr-2.png - Deleted
    C:\WINDOWS\cuawsppw\start.png - Deleted
    C:\WINDOWS\cuawsppw\styles.css - Deleted
    C:\WINDOWS\cuawsppw\top-rc.gif - Deleted
    C:\WINDOWS\cuawsppw\vline.gif - Deleted
    C:\WINDOWS\cuawsppw\wp.png - Deleted
    C:\Program Files\GetModule\dicik.gz - Deleted
    C:\Program Files\GetModule\GetModule19.exe - Deleted
    C:\Program Files\GetModule\kwdik.gz - Deleted
    C:\Program Files\GetModule\pckik.dat - Deleted
    C:\Program Files\GetPack\dictame.gz - Deleted
    C:\Program Files\GetPack\GetPack19.exe - Deleted
    C:\Program Files\GetPack\trgtame.gz - Deleted
    C:\Program Files\iCheck\Uninstall.exe - Deleted
    C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
    C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
    C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
    C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
    C:\WINDOWS\mrofinu1000106.exe - Deleted
    C:\WINDOWS\mrofinu572.exe - Deleted
    C:\Program Files\xloadnet\xloadnet.exe - Deleted
    C:\Documents and Settings\Cindy Colon\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
    C:\Documents and Settings\Cindy Colon\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
    C:\DOCUME~1\CINDYC~1\LOCALS~1\Temp\removalfile.bat - Deleted
    C:\WINDOWS\browser.exe - Deleted
    C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
    C:\WINDOWS\system32\msnav32.ax - Deleted
    C:\WINDOWS\system32\pac.txt - Deleted
    C:\WINDOWS\system32\rwwnw64d.exe - Deleted
    C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
    C:\WINDOWS\uninstall_nmon.vbs - Deleted



    Folder C:\Program Files\GetModule - Removed
    Folder C:\Program Files\GetPack - Removed
    Folder C:\Program Files\iCheck - Removed
    Folder C:\Program Files\xloadnet - Removed


    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-16 19:21:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shareda ccess\parameters\firewallpolicy\standardprofile\authorizedap plications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessm gr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shareda ccess\parameters\firewallpolicy\domainprofile\authorizedappl ications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessm gr.exe:*:enabled:@xpsp2res.dll,-22019"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Tue 2 Aug 2005 187,904 A.SHR --- "C:\WINDOWS\Q2luZHk\asappsrv.dll"
    Tue 2 Aug 2005 293,888 A.SHR --- "C:\WINDOWS\Q2luZHk\command.exe"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\00766461b1b00d8469 999536d8f8d6e4\BIT8.tmp"
    Wed 16 Jul 2008 151,177 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da14 14f03ea6d62389\BIT7.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\080070f6461c800157 8e5e4cd4bb024b\BIT28.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a120212db9f879793 2f46def01672fc\BIT2A.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9 a45c0426de5360\BITC.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea 8b29c83de1ed86\BIT24.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\109fef93c24da62cf8 f31668d6ba9060\BIT1D.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1d8773e3b9bba05290 b442f31de09a2e\BIT17.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1fb659e25c21839251 d560da33cbcfad\BIT3A.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\208c1a8c52f47d7b2d f4baa21f58d3da\BIT28.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337aca fe2a37966d9d29\BIT13.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967 ddf7181c6befdb\BIT1B.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223 ce4d88d99bf3c2\BIT18.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8 b4c076a49edc7b\BITB.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\32e99364da67a7850c 38a7a4e067a1ed\BIT2C.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33831624a2e810dc85 4ea2f820d0dd53\BIT31.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\36c3c1f2e48b09c0b1 25981ec993e178\BITD.tmp"
    Wed 16 Jul 2008 797,088 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\379c3e87f4016899bd 06cdf1184d31ce\BIT25.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\37fefde58a963f2798 2e5f97ce053f7f\BIT29.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b99 0ca70aa98f1df8\BIT1C.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a 7a5523023b1e09\BIT19.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4387300ca1dcf29784 a47c30e67cb637\BITC.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa 5505a5fab8e00b\BIT1F.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11 e7f7e0165f2082\BIT32.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da652794a86 c37dbd177bef9d\BIT23.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cc8107fde988bba14 81bb736cc96c29\BIT1B.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4e28cc4378cd080777 8e1b0917bd6312\BIT16.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a755 6514a051f797f4\BIT22.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\50d0c9ff929a747723 3edd0771ffdb01\BIT1C.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357 490c8089b5f84e\BIT17.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\55b5c397ff94db07e8 c1c336efaf0a7b\BIT24.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\582374c56f566bb2a8 3a59d0c2cd7d87\BIT36.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb3 4ad3589556de3e\BIT2C.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\86c1313b3b7233a513 215d577f5db5c4\BIT2B.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a7 84782616794afa\BIT1A.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8a10de02595aa74827 9afc6c628f49a8\BIT1A.tmp"
    Wed 16 Jul 2008 5,319,000 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8aba0967f899f346d1 12e436c1f1b5c7\BIT14.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe 6cdcb43653d74d\BIT20.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\985a4860635d6b1a58 6d2df5ae754c21\BIT12.tmp"
    Wed 16 Jul 2008 102,173 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\991099a35378d98f42 0ab4028323ec84\BIT2D.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4a9ccd1806461c53c e89bdd6f4591bf\BIT18.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aa19f15378aa75d2b2 c7ba5771e0c521\BITF.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481 b4ee261d21b730\BIT29.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac396c0c2d53942a12 157d0ad3c4135a\BIT21.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aebb83db003f77a456 71fd2c1557da38\BITD.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd 2da399851bda00\BIT1D.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b79f0480d592be3a8c 6db381ffc0c693\BIT16.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c1b0851ac9312d2f7e 1ab716c11967b5\BIT35.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee3 96a230df8b1229\BIT2D.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c36c7f4b6082ffbd96 a80985adcf3ca0\BITA.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3c3c6d9de8be47464 1d4bbceb22a36f\BIT39.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c87932aedce288373d 0b6a6c23f00c8a\BIT33.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9cdbfcd49200c55d9 4bb81819c80f2b\BIT22.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d037d9bbbbdf880e47 7c3840b38c3180\BIT20.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d05e90bdbe498b084a 93603bc30f3c3c\BIT2F.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d1c98689cdcd0ea931 2780ffc77a2cbe\BIT2E.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20fc1765c1d2a8e6c 26cf77036ce48f\BIT27.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d424e8f655073b64c8 2b6f4f138d5f7e\BIT27.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d820fbd6e1527bc9c5 1d0c3b240b96fd\BIT25.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d8816d09f86abbe0c3 21ddc90d5c0948\BIT26.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7ef f37e755cd6f449\BIT37.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dcfb65ff18fcfdf3d0 086d241818e7bc\BIT15.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e7d26e5776f9930c6a d9dff351940707\BIT1E.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ed6cff8bccff865b52 b93292e144ada6\BIT9.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ee52836d5c67114680 9a1dc54498be1f\BIT2A.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f040a43a7788e207ef 67f26bf9f0471f\BIT38.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1717a50ad70787e0b 2e37537d202992\BIT34.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f934b30a3337b48859 0ef3c1f3bbfd68\BIT23.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f941c900a413f15386 1a4032214a1aec\BIT26.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5 ee3f532304b804\BIT1F.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0091ab299e899a5920 ad91739ad99c67\download\BIT34.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05dc5f0b39a115d196 2503e7297cdba7\download\BIT30.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1230492412c0d92c55 a03b0de671f167\download\BIT9.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefe dd349d083bb253\download\BIT33.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1ef77232e6f7faea77 bfc1ae4b57d4af\download\BIT39.tmp"
    Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\299966e551b4462ae9 4e39e251e277b6\download\BIT15.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\304c19f1612f37ffa8 967147d3cb7464\download\BIT7.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5652d934eec8bfa4dc 68c4e256a23d5e\download\BIT6.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\588786e399909bbe55 8853aada5a75c8\download\BIT3A.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\612ce0df709f1f49b2 994166ec93f292\download\BIT35.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7 a3a95c81a023bd\download\BIT8.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a9 55690dc00fbe64\download\BIT31.tmp"
    Wed 16 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2 a61e3a51d766ff\download\BIT2F.tmp"

    Finished!

    Malware Report:

    Malwarebytes' Anti-Malware 1.20
    Database version: 960
    Windows 5.1.2600 Service Pack 2

    7:52:26 PM 7/16/2008
    mbam-log-7-16-2008 (19-52-26).txt

    Scan type: Quick Scan
    Objects scanned: 38585
    Time elapsed: 5 minute(s), 53 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 14
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 11

    Memory Processes Infected:
    C:\WINDOWS\system32\tehobivw.exe (Trojan.FakeAlert) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\xflock (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\xfoamwny (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run\{2a2cf527-5fb7-6619-2ab2-734f20f2781c} (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\Cindy Colon\Application Data\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\tehobivw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\rrwnw64n.exe (Adware.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Cindy Colon\Application Data\PC-Cleaner\log.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Cindy Colon\Application Data\PC-Cleaner\settings.dat (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\uduueljjskua.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tcntaxdm.exe (Adware.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM7bf71f46.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\mhixwxkx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Cindy Colon\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.

    DSS main txt:

    Deckard's System Scanner v20071014.68
    Run by Cindy Colon on 2008-07-17 12:00:25
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Backed up registry hives.

    Total Physical Memory: 511 MiB (512 MiB recommended).


    -- HijackThis (run as Cindy Colon.exe) -----------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:01:03 PM, on 7/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Launch Manager\LaunchAp.exe
    C:\Program Files\Launch Manager\HotkeyApp.exe
    C:\Program Files\Launch Manager\PanelICON.exe
    C:\Program Files\Launch Manager\Wbutton.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Cindy Colon\desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\jimmy\Cindy Colon.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: bannerstyle browser optimizer - {5be1c609-6326-18c4-8fac-a6693c869b34} - C:\WINDOWS\system32\uduueljjskua.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
    O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
    O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
    O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
    O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.sxload.net (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144655284394
    O21 - SSODL: ShSmart - {1954757B-20F7-672E-EF54-00D06EB72E5D} - C:\Program Files\qgrgvob\ShSmart.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

    --
    End of file - 4973 bytes

    -- File Associations -----------------------------------------------------------

    .reg - regfile - shell\open\command - regedit.exe "%1" %*
    .scr - scrfile - shell\open\command - "%1" %*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 Hotkey - c:\windows\system32\drivers\hotkey.sys
    R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
    R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
    R1 VETMONNT (VET File Monitor) - c:\windows\system32\drivers\vetmonnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>
    R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus>

    S1 Wbutton - c:\windows\system32\drivers\wbutton.sys (file missing)
    S3 catchme - c:\docume~1\cindyc~1\locals~1\temp\catchme.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    All services whitelisted.


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Files created between 2008-06-17 and 2008-07-17 -----------------------------

    2008-07-16 19:36:48 0 d-------- C:\Documents and Settings\Cindy Colon\Application Data\Malwarebytes
    2008-07-16 19:36:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-16 19:36:33 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-16 19:11:36 0 d-------- C:\WINDOWS\ERUNT
    2008-07-16 17:39:18 0 d-------- C:\WINDOWS\system32\aumsDK01
    2008-07-16 17:25:50 64852 --a------ C:\WINDOWS\system32\erlzingreyipb.exe
    2008-07-11 14:46:37 68096 --a------ C:\WINDOWS\zip.exe
    2008-07-11 14:46:37 49152 --a------ C:\WINDOWS\VFind.exe
    2008-07-11 14:46:37 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-07-11 14:46:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-07-11 14:46:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-07-11 14:46:37 98816 --a------ C:\WINDOWS\sed.exe
    2008-07-11 14:46:37 80412 --a------ C:\WINDOWS\grep.exe
    2008-07-11 14:46:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-07-11 14:39:43 0 d-------- C:\Program Files\Trend Micro
    2008-07-10 21:13:01 0 d-------- C:\Documents and Settings\Administrator\Favorites
    2008-07-10 21:13:01 0 d-------- C:\Documents and Settings\Administrator\Desktop
    2008-07-10 21:13:01 0 d---s---- C:\Documents and Settings\Administrator\Cookies
    2008-07-10 21:13:01 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
    2008-07-10 21:13:01 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\Templates
    2008-07-10 21:13:00 0 dr------- C:\Documents and Settings\Administrator\Start Menu
    2008-07-10 21:13:00 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\Recent
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
    2008-07-10 21:13:00 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\NetHood
    2008-07-10 21:13:00 0 d-------- C:\Documents and Settings\Administrator\My Documents
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
    2008-07-10 19:46:29 55808 --a------ C:\WINDOWS\yoursearchnet_com.exe
    2008-07-10 19:46:27 0 d--hs---- C:\WINDOWS\Q2luZHk
    2008-07-10 19:45:53 0 d-------- C:\WINDOWS\system32\tfig
    2008-07-10 19:45:53 0 d-------- C:\WINDOWS\system32\net
    2008-07-10 19:45:53 0 d-------- C:\WINDOWS\system32\cREG
    2008-07-10 19:45:53 0 d-------- C:\WINDOWS\system32\1030
    2008-07-10 19:45:38 0 d-------- C:\WINDOWS\system32\olixds01
    2008-07-10 19:45:37 0 d-------- C:\Temp
    2008-07-10 19:40:48 0 d-------- C:\WINDOWS\Sun
    2008-07-10 19:40:48 0 d-------- C:\Documents and Settings\Cindy Colon\Application Data\Sun
    2008-07-10 19:32:05 0 d-------- C:\Program Files\qgrgvob
    2008-07-10 19:28:57 37376 --a------ C:\Twb5.exe
    2008-07-09 13:02:29 0 d-------- C:\WINDOWS\system32\4466


    -- Find3M Report ---------------------------------------------------------------

    2008-07-16 19:17:33 0 d-------- C:\Program Files\Common Files
    2008-07-09 19:43:08 0 d-------- C:\Program Files\Common Files\Motive
    2008-07-09 19:42:33 0 d-------- C:\Program Files\SBC Self Support Tool
    2008-07-09 13:03:25 0 d-------- C:\Documents and Settings\Cindy Colon\Application Data\LimeWire


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5be1c609-6326-18c4-8fac-a6693c869b34}]
    C:\WINDOWS\system32\uduueljjskua.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/24/2003 09:51 PM]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/24/2003 09:44 PM]
    "AGRSMMSG"="AGRSMMSG.exe" [06/27/2003 07:53 AM C:\WINDOWS\AGRSMMSG.exe]
    "SoundMan"="SOUNDMAN.EXE" [08/15/2003 02:34 PM C:\WINDOWS\SOUNDMAN.EXE]
    "LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [05/12/2003 02:28 PM]
    "HotkeyApp"="C:\Program Files\Launch Manager\HotkeyApp.exe" [09/24/2003 01:53 PM]
    "CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [09/16/2003 02:28 PM]
    "LMgrPanelICON"="C:\Program Files\Launch Manager\PanelICON.exe" [09/24/2003 04:37 PM]
    "Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [09/12/2003 03:24 PM]
    "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [12/09/2003 02:02 PM]
    "Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [12/10/2003 04:52 AM]
    "CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [04/10/2006 12:16 AM]
    "CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [04/10/2006 12:16 AM]
    "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [04/22/2005 07:49 PM]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run]
    "xloadnet"="C:\Program Files\xloadnet\xloadnet.exe" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion \policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=0 (0x0)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\ policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=0 (0x0)
    "HideStartupScripts"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ShellServiceObjectDelayLoad]
    "ShSmart"= {1954757B-20F7-672E-EF54-00D06EB72E5D} - C:\Program Files\qgrgvob\ShSmart.dll [07/10/2008 07:32 PM 102400]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\security providers]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\vds]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @="Volume shadow copy"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    Ati2mdxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1




    -- End of Deckard's System Scanner: finished at 2008-07-17 12:02:44 ------------

    DSS extra txt:

    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft Windows XP Home Edition (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel(R) Pentium(R) M processor 1400MHz
    Percentage of Memory in Use: 45%
    Physical Memory (total/avail): 510.98 MiB / 277.64 MiB
    Pagefile Memory (total/avail): 1248.15 MiB / 1055.17 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1949.11 MiB

    C: is Fixed (NTFS) - 35.27 GiB total, 31.76 GiB free.
    D: is Fixed (FAT32) - 1.98 GiB total, 1.98 GiB free.
    E: is CDROM (No Media)
    F: is Removable (FAT)

    \\.\PHYSICALDRIVE0 - FUJITSU MHT2040AT - 37.26 GiB - 2 partitions
    \PARTITION0 (bootable) - Installable File System - 35.27 GiB - C:
    \PARTITION1 - Extended w/Extended Int 13 - 2031.66 MiB - D:

    \\.\PHYSICALDRIVE1 - - 117.66 MiB - 1 partition
    \PARTITION0 (bootable) - Win95 w/Extended Int 13 - 122.98 MiB - F:



    -- Security Center -------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is disabled.

    AV: Anti-Virus - SBC Yahoo! Online Protection v7.0.7.4 (Computer Associates)

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Paramete rs\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessm gr.exe:*:enabled:@xpsp2res.dll,-22019"

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Paramete rs\FirewallPolicy\StandardProfile\AuthorizedApplications\Lis t]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessm gr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Cindy Colon\Application Data
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=NONE-16FF5BED05
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Cindy Colon
    LOGONSERVER=\\NONE-16FF5BED05
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem ;C:\Program Files\ATI Technologies\ATI Control Panel
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0905
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\CINDYC~1\LOCALS~1\Temp
    TMP=C:\DOCUME~1\CINDYC~1\LOCALS~1\Temp
    USERDOMAIN=NONE-16FF5BED05
    USERNAME=Cindy Colon
    USERPROFILE=C:\Documents and Settings\Cindy Colon
    windir=C:\WINDOWS


    -- User Profiles ---------------------------------------------------------------

    Cindy Colon (admin)
    Administrator (admin)


    -- Add/Remove Programs ---------------------------------------------------------

    --> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
    Agere Systems AC'97 Modem --> agrsmdel
    Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
    ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,Lau nchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
    ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_Run DLL@16 -force_restart -flags:0x2010001 -inf_classISPLAY -clean
    BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
    DVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
    Enhancement Browser Tools Bannerstyle --> C:\WINDOWS\system32\erlzingreyipb.exe
    Gateway Drivers and Applications Recovery --> C:\Program Files\Gateway\HPA\GWMenu.exe UNINSTALL
    HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\jimmy\HijackThis.exe" /uninstall
    Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
    Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
    Launch Manager V1.1.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,Lau nchSetup "C:\Program Files\InstallShield Installation Information\{D0846526-66DD-4DC9-A02C-98F9A2806812}\setup.exe" -l0x9 -uninst
    LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
    Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
    SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
    SBC Yahoo! Applications --> C:\PROGRA~1\Yahoo!\common\uninstall.exe
    Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall


    -- Application Event Log -------------------------------------------------------

    Event Record #/Type201 / Error
    Event Submitted/Written: 07/10/2008 07:26:33 PM
    Event ID/Source: 1000 / Application Error
    Event Description:
    Faulting application iexplore.exe, version 6.0.2900.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
    Processing media-specific event for [iexplore.exe!ws!]

    Event Record #/Type194 / Error
    Event Submitted/Written: 07/09/2008 10:03:32 PM
    Event ID/Source: 1000 / Application Error
    Event Description:
    Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
    Processing media-specific event for [iexplore.exe!ws!]

    Event Record #/Type193 / Error
    Event Submitted/Written: 07/09/2008 10:00:11 PM
    Event ID/Source: 1002 / Application Hang
    Event Description:
    Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    Event Record #/Type186 / Warning
    Event Submitted/Written: 07/09/2008 03:19:54 PM
    Event ID/Source: 1524 / Userenv
    Event Description:
    Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

    Event Record #/Type182 / Error
    Event Submitted/Written: 07/09/2008 00:57:32 PM
    Event ID/Source: 1002 / Application Hang
    Event Description:
    Hanging application ybrowser.exe, version 2005.8.12.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type537 / Error
    Event Submitted/Written: 07/16/2008 07:10:16 PM
    Event ID/Source: 10005 / DCOM
    Event Description:
    DCOM got error "%%1084" attempting to start the service netman with arguments ""
    in order to run the server:
    {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Event Record #/Type536 / Error
    Event Submitted/Written: 07/16/2008 07:09:16 PM
    Event ID/Source: 7026 / Service Control Manager
    Event Description:
    The following boot-start or system-start driver(s) failed to load:
    AFD
    Fips
    intelppm
    IPSec
    MRxSmb
    NetBIOS
    NetBT
    RasAcd
    Rdbss
    Tcpip
    VET-FILT
    VET-REC
    VETEFILE
    VETMONNT

    Event Record #/Type535 / Error
    Event Submitted/Written: 07/16/2008 07:09:16 PM
    Event ID/Source: 7001 / Service Control Manager
    Event Description:
    The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
    %%31

    Event Record #/Type534 / Error
    Event Submitted/Written: 07/16/2008 07:09:16 PM
    Event ID/Source: 7001 / Service Control Manager
    Event Description:
    The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:
    %%31

    Event Record #/Type533 / Error
    Event Submitted/Written: 07/16/2008 07:09:16 PM
    Event ID/Source: 7001 / Service Control Manager
    Event Description:
    The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
    %%31



    -- End of Deckard's System Scanner: finished at 2008-07-17 12:02:44 ------------

  8. #8
    Moderator (global) Team-Mitglied Avatar von Jintan
    Registriert seit
    25.11.2006
    Beiträge
    6.369

    Re: HJT log + i have delself on desktop

    Good progress but some active items remain. Let's address those now.


    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

    Then you will want to print or have other access to a copy of the next steps, as some will be done without net access or in Safe Mode.


    Download The Avenger by Swandog from here and save it to your Desktop.

    Disconnect from net access again.

    --------------------------

    Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

    O2 - BHO: bannerstyle browser optimizer - {5be1c609-6326-18c4-8fac-a6693c869b34} - C:\WINDOWS\system32\uduueljjskua.dll (file missing)
    O4 - HKCU\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
    O15 - Trusted Zone: *.sxload.net (HKLM)


    ---------------------------------

    Close all open programs and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

    Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

    Code:
    Begin copying here:
    Files to delete:
    C:\Twb5.exe
    C:\WINDOWS\system32\erlzingreyipb.exe
    C:\WINDOWS\yoursearchnet_com.exe
    Folders to delete:
    C:\WINDOWS\system32\aumsDK01
    C:\WINDOWS\Q2luZHk
    C:\WINDOWS\system32\tfig
    C:\WINDOWS\system32\net
    C:\WINDOWS\system32\cREG
    C:\WINDOWS\system32\1030
    C:\WINDOWS\system32\olixds01
    C:\Temp
    C:\Program Files\qgrgvob
    C:\WINDOWS\system32\4466
    Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | ShSmart
    Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

    ----------------------------

    Then reconnect to net access and go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

    To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

    To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

    --------------------------------

    Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Extra Log, uncheck all the boxes.

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

    Post back the that log along with the Kaspersky log and the avenger.txt log please.
    Lebe den Tag!

    Jintan - Die Marke, bei der alles stimmt!

  9. #9
    Einsteiger
    Registriert seit
    15.07.2008
    Beiträge
    12

    Re: HJT log + i have delself on desktop

    Avenger:

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File "C:\Twb5.exe" deleted successfully.
    File "C:\WINDOWS\system32\erlzingreyipb.exe" deleted successfully.
    File "C:\WINDOWS\yoursearchnet_com.exe" deleted successfully.
    Folder "C:\WINDOWS\system32\aumsDK01" deleted successfully.
    Folder "C:\WINDOWS\Q2luZHk" deleted successfully.
    Folder "C:\WINDOWS\system32\tfig" deleted successfully.
    Folder "C:\WINDOWS\system32\net" deleted successfully.
    Folder "C:\WINDOWS\system32\cREG" deleted successfully.
    Folder "C:\WINDOWS\system32\1030" deleted successfully.
    Folder "C:\WINDOWS\system32\olixds01" deleted successfully.
    Folder "C:\Temp" deleted successfully.
    Folder "C:\Program Files\qgrgvob" deleted successfully.
    Folder "C:\WINDOWS\system32\4466" deleted successfully.
    Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio n\ShellServiceObjectDelayLoad|ShSmart" deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.

    Kaspersky:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Thursday, July 17, 2008
    Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Friday, July 18, 2008 02:03:50
    Records in database: 966893
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Files scanned: 22053
    Threat name: 28
    Infected objects: 34
    Suspicious objects: 0
    Duration of the scan: 00:31:08


    File name / Threat name / Threats count
    C:\Documents and Settings\All Users\Application Data\vkvkboxy\pmhepgds.exe Infected: Trojan.Win32.Obfuscated.gx 1
    C:\QooBox\Quarantine\C\Documents and Settings\Cindy Colon\My Documents\MBOLS~1\spool32.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj 1
    C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a 1
    C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.w 1
    C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.x 1
    C:\QooBox\Quarantine\C\WINDOWS\444.470.vir Infected: Trojan.Win32.DNSChanger.eys 1
    C:\QooBox\Quarantine\C\WINDOWS\braviax.exe.vir Infected: Trojan-Downloader.Win32.Agent.vra 1
    C:\QooBox\Quarantine\C\WINDOWS\cru629.dat.vir Infected: Backdoor.Win32.Small.cyb 1
    C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b 1
    C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: Hoax.Win32.Renos.vajj 1
    C:\QooBox\Quarantine\C\WINDOWS\PerfInfo\G7FO2bsDfwwp.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.bvl 1
    C:\QooBox\Quarantine\C\WINDOWS\portsv.exe.vir Infected: Trojan.Win32.Agent.sdd 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\braviax.exe.vir Infected: Trojan-Downloader.Win32.Agent.vra 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\cru629.dat.vir Infected: Backdoor.Win32.Small.cyb 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vi r Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ndiswann.sys .zip Infected: Rootkit.Win32.Agent.aol 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\fezfwc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bqs 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\hdiytugf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aahe 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\hnogixqq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bqs 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\ljJDUnki.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\nNeBqnLc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aahc 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\ogrdtxsf.dll.vir Infected: Trojan.Win32.Monder.gen 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\ojagraxb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qvm 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\qcntrtdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bv 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bp 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\winivstr.exe.vir Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.c 1
    C:\QooBox\Quarantine\C\WINDOWS\winself.exe.vir Infected: Trojan.Win32.DNSChanger.dek 1
    C:\QooBox\Quarantine\catchme2008-07-11_151545.74.zip Infected: Rootkit.Win32.Clbd.en 1
    C:\QooBox\Quarantine\catchme2008-07-11_151545.74.zip Infected: Rootkit.Win32.Clbd.dp 1
    C:\SDFix\backups\backups.zip Infected: not-a-virus:AdWare.Win32.ZenoSearch.bp 1
    C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.VB.fuu 1
    C:\WINDOWS\hgvehqlw.dll Infected: Trojan.Win32.Obfuscated.gx 1

    The selected area was scanned.

    DSS main txt:

    Deckard's System Scanner v20071014.68
    Run by Cindy Colon on 2008-07-17 19:51:36
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Total Physical Memory: 511 MiB (512 MiB recommended).


    -- HijackThis (run as Cindy Colon.exe) -----------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:51:46 PM, on 7/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Launch Manager\LaunchAp.exe
    C:\Program Files\Launch Manager\HotkeyApp.exe
    C:\Program Files\Launch Manager\PanelICON.exe
    C:\Program Files\Launch Manager\Wbutton.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
    C:\Documents and Settings\Cindy Colon\desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\jimmy\CINDYC~1.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
    O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
    O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
    O4 - HKLM\..\Run: [LMgrPanelICON] C:\Program Files\Launch Manager\PanelICON.exe
    O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144655284394
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

    --
    End of file - 4109 bytes

    -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\jimmy\backups\) --------------

    backup-20080717-173802-503 O15 - Trusted Zone: *.sxload.net (HKLM)
    backup-20080717-173802-603 O2 - BHO: bannerstyle browser optimizer - {5be1c609-6326-18c4-8fac-a6693c869b34} - C:\WINDOWS\system32\uduueljjskua.dll (file missing)
    backup-20080717-173802-723 O4 - HKCU\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"

    -- File Associations -----------------------------------------------------------

    .reg - regfile - shell\open\command - regedit.exe "%1" %*
    .scr - scrfile - shell\open\command - "%1" %*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 Hotkey - c:\windows\system32\drivers\hotkey.sys

    S1 Wbutton - c:\windows\system32\drivers\wbutton.sys (file missing)
    S3 catchme - c:\docume~1\cindyc~1\locals~1\temp\catchme.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    All services whitelisted.


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Files created between 2008-06-17 and 2008-07-17 -----------------------------

    2008-07-17 18:41:49 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
    2008-07-17 18:41:48 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
    2008-07-17 18:41:47 6550 --a------ C:\WINDOWS\jautoexp.dat
    2008-07-17 18:41:40 113 --a------ C:\WINDOWS\system32\zonedon.reg
    2008-07-17 18:41:40 113 --a------ C:\WINDOWS\system32\zonedoff.reg
    2008-07-17 18:22:31 286 --a------ C:\avexport.bat
    2008-07-16 19:36:48 0 d-------- C:\Documents and Settings\Cindy Colon\Application Data\Malwarebytes
    2008-07-16 19:36:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-16 19:36:33 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-16 19:11:36 0 d-------- C:\WINDOWS\ERUNT
    2008-07-11 14:46:37 68096 --a------ C:\WINDOWS\zip.exe
    2008-07-11 14:46:37 49152 --a------ C:\WINDOWS\VFind.exe
    2008-07-11 14:46:37 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-07-11 14:46:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-07-11 14:46:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-07-11 14:46:37 98816 --a------ C:\WINDOWS\sed.exe
    2008-07-11 14:46:37 80412 --a------ C:\WINDOWS\grep.exe
    2008-07-11 14:46:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-07-11 14:39:43 0 d-------- C:\Program Files\Trend Micro
    2008-07-10 21:13:01 0 d-------- C:\Documents and Settings\Administrator\Favorites
    2008-07-10 21:13:01 0 d-------- C:\Documents and Settings\Administrator\Desktop
    2008-07-10 21:13:01 0 d---s---- C:\Documents and Settings\Administrator\Cookies
    2008-07-10 21:13:01 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
    2008-07-10 21:13:01 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\Templates
    2008-07-10 21:13:00 0 dr------- C:\Documents and Settings\Administrator\Start Menu
    2008-07-10 21:13:00 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\Recent
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
    2008-07-10 21:13:00 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\NetHood
    2008-07-10 21:13:00 0 d-------- C:\Documents and Settings\Administrator\My Documents
    2008-07-10 21:13:00 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
    2008-07-10 19:40:48 0 d-------- C:\WINDOWS\Sun
    2008-07-10 19:40:48 0 d-------- C:\Documents and Settings\Cindy Colon\Application Data\Sun


    -- Find3M Report ---------------------------------------------------------------

    2008-07-17 18:35:59 0 d-------- C:\Program Files\Yahoo!
    2008-07-17 18:34:57 0 d-------- C:\Program Files\Common Files\Scanner
    2008-07-16 19:17:33 0 d-------- C:\Program Files\Common Files
    2008-07-09 19:43:08 0 d-------- C:\Program Files\Common Files\Motive
    2008-07-09 19:42:33 0 d-------- C:\Program Files\SBC Self Support Tool
    2008-07-09 13:03:25 0 d-------- C:\Documents and Settings\Cindy Colon\Application Data\LimeWire


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/24/2003 09:51 PM]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/24/2003 09:44 PM]
    "AGRSMMSG"="AGRSMMSG.exe" [06/27/2003 07:53 AM C:\WINDOWS\AGRSMMSG.exe]
    "SoundMan"="SOUNDMAN.EXE" [08/15/2003 02:34 PM C:\WINDOWS\SOUNDMAN.EXE]
    "LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [05/12/2003 02:28 PM]
    "HotkeyApp"="C:\Program Files\Launch Manager\HotkeyApp.exe" [09/24/2003 01:53 PM]
    "CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [09/16/2003 02:28 PM]
    "LMgrPanelICON"="C:\Program Files\Launch Manager\PanelICON.exe" [09/24/2003 04:37 PM]
    "Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [09/12/2003 03:24 PM]
    "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [12/09/2003 02:02 PM]
    "Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [12/10/2003 04:52 AM]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion \policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=0 (0x0)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\ policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=0 (0x0)
    "HideStartupScripts"=0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\security providers]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\vds]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @="Volume shadow copy"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
    backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    Ati2mdxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    1




    -- End of Deckard's System Scanner: finished at 2008-07-17 19:52:13 ------------

  10. #10
    Moderator (global) Team-Mitglied Avatar von Jintan
    Registriert seit
    25.11.2006
    Beiträge
    6.369

    Re: HJT log + i have delself on desktop

    Much improved. Kaspersky located mostly items already Removed by ComboFix, and some other bad files we will delete. Due to the type of level of infection there we'll need to then add an additional scan, just to round out our repairs.


    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it badfixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

    ------------------------------

    Also an install our repairs left as a remnant to remove.

    Open Hijackthis.
    Click Config - Misc Tools - Open Uninstall Manager again.
    A list of the entries in Add/Remove programs will appear.
    Click to hilight Enhancement Browser Tools Bannerstyle then click "Delete this entry".


    --------------------------------

    Open OTMoveIt again.

    Copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

    Code:
    C:\Documents and Settings\All Users\Application Data\vkvkboxy\pmhepgds.exe
    C:\WINDOWS\hgvehqlw.dll
    Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

    -----------------------------------

    Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

    If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.



    Then Go here and download the free version of SUPERAntiSpyware and install it.

    After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

    Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

    Start-up Options:
    *Start SUPERAntiSpyware when Windows starts

    Automatic Updates:
    *Check for program updates when the application starts.
    Start-up Scanning:
    *Check for updates before scanning on startup.

    Click the Scan your Computer button. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.


    SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

    Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here along with the OTMoveIt log please.
    Lebe den Tag!

    Jintan - Die Marke, bei der alles stimmt!

Seite 1 von 3 123 LetzteLetzte

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. HJT Log
    Von aopenshaw im Forum Archiv
    Antworten: 7
    Letzter Beitrag: 21.04.2008, 20:03
  2. my HJT log - can someone please help me?
    Von Unregistered im Forum Archiv
    Antworten: 1
    Letzter Beitrag: 27.03.2006, 05:44
  3. HJT Log - Please Help
    Von Bloah im Forum Archiv
    Antworten: 3
    Letzter Beitrag: 14.09.2005, 04:10
  4. HJT Log -- Please help.
    Von Zildjian im Forum Archiv
    Antworten: 3
    Letzter Beitrag: 27.05.2005, 07:49
  5. HJT Log Please Help
    Von Water im Forum Archiv
    Antworten: 7
    Letzter Beitrag: 22.03.2005, 01:38

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •