Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1] 2 3  All   Go Down

Author Topic: Help with Trojan-Psw.onlinegames  (Read 11422 times)

0 Members and 1 Guest are viewing this topic.

sieghart

    Topic Starter


    Rookie

    Help with Trojan-Psw.onlinegames
    « on: July 31, 2008, 11:07:18 PM »
    hi, this 2 days when i startup my windows, i keep getting alerts frm my AVg resident shield. showing that my com has been infected with Trojan-PSW.onlinegames.JJ , Trojan-PSW.GEN other similar threats. they were deleted. but whenever i rebooted, i received the same trojan alerts again. What shld i do to remove these trojans for good?
    Logged

    kuszmania9999



      Adviser

      Thanked: 3
      • citizenship
    • Experience: Beginner
    • OS: Unknown
    Re: Help with Trojan-Psw.onlinegames
    « Reply #1 on: July 31, 2008, 11:12:02 PM »

    install, update, and run a full scan in safe mode

    Quote
    Posting advice without having the title "Malware Removal Specialist" under your user name in the Computer Viruses and Spyware forum will get your post edited or deleted as the wrong advice is too risky for the users we are trying to help.
    http://www.computerhope.com/forum/index.php/topic,57605.0.html

    Any questions PM evilfantasy
    « Last Edit: July 31, 2008, 11:14:56 PM by evilfantasy »
    Logged

    evilfantasy

    • Malware Removal Specialist
    • Moderator


      • Genius
    • Calm like a bomb
      • Thanked: 493
    • Experience: Experienced
    • OS: Windows 11
    Re: Help with Trojan-Psw.onlinegames
    « Reply #2 on: July 31, 2008, 11:13:45 PM »
    Welcome to Computer Hope!

    Please don't use abbreviations or txt talk. I have to understand exactly what your describing to help you fix this. Some things you might need to do will be very important and you don't want me misunderstanding you and potentially remove the wrong thing from the PC ;)

    That said, please go here and read the instructions to the guide to getting started. Post the logs when complete and we will see what's going on with your PC.
    Logged

    sieghart

      Topic Starter


      Rookie

      Re: Help with Trojan-Psw.onlinegames
      « Reply #3 on: July 31, 2008, 11:24:46 PM »
      i've installed CCleaner just now, but i cant open it. It gives me this message:

      "The application or DLL C:\WINDOWS\system32\pedadt.dll is not a valid windows image. Please check this against your installation diskette."

      what might be happening? thanks in advance.
      Logged

      evilfantasy

      • Malware Removal Specialist
      • Moderator


        • Genius
      • Calm like a bomb
        • Thanked: 493
      • Experience: Experienced
      • OS: Windows 11
      Re: Help with Trojan-Psw.onlinegames
      « Reply #4 on: July 31, 2008, 11:27:34 PM »
      Try this.

      Download and rename TrendMicro HijackThis.exe (HJT)

      • Double-click on HJTInstall.
      • Click on the Install button.
      • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
      • Upon install, HijackThis should open for you.
      • Important! If using Windows Vista, Right-click and Run As Administrator
      • Click on the Do a system scan and save a log file button
      • HijackThis will scan and then a log will open in notepad.
      • Copy and then paste the entire contents of the log in your post.
      • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
      Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.
      Logged

      sieghart

        Topic Starter


        Rookie

        Re: Help with Trojan-Psw.onlinegames
        « Reply #5 on: July 31, 2008, 11:35:45 PM »
        i've installed HJT. but when i click on it, nothing happens. I tried to open the task manager to see if it's running, but now even task manager doesnt open, what should i do next?
        Logged

        evilfantasy

        • Malware Removal Specialist
        • Moderator


          • Genius
        • Calm like a bomb
          • Thanked: 493
        • Experience: Experienced
        • OS: Windows 11
        Re: Help with Trojan-Psw.onlinegames
        « Reply #6 on: July 31, 2008, 11:41:02 PM »
        Try this.

        Run this online scan. Requires Internet Explorer

        Use the ESET Nod32 Online Scanner

        1. Check the box next to YES, I accept the Terms of Use.
        2. Click Start
        3. When asked, allow the activex control to install
        4. Click Start
        5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
        6. Click Scan
        7. Wait for the scan to finish
        8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
        9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply
        Logged

        sieghart

          Topic Starter


          Rookie

          Re: Help with Trojan-Psw.onlinegames
          « Reply #7 on: August 01, 2008, 02:21:47 AM »
          ok, i've rebooted and got CCleaner to run and completed. I did the Eset antivirus scan and here's the log:

          # version=4
          # OnlineScanner.ocx=1.0.0.635
          # OnlineScannerDLLA.dll=1, 0, 0, 79
          # OnlineScannerDLLW.dll=1, 0, 0, 78
          # OnlineScannerUninstaller.exe=1, 0, 0, 49
          # vers_standard_module=3316 (20080731)
          # vers_arch_module=1.064 (20080214)
          # vers_adv_heur_module=1.066 (20070917)
          # EOSSerial=72ab085182bb4f4db252e030ec8c581b
          # end=finished
          # remove_checked=true
          # unwanted_checked=true
          # utc_time=2008-08-01 08:10:11
          # local_time=2008-08-01 04:10:11 (+0800, Malay Peninsula Standard Time)
          # country="United States"
          # osver=5.1.2600 NT Service Pack 2
          # scanned=303769
          # found=1
          # scan_time=3853
          C:\WINDOWS\system32\jhfrxz.dll   a variant of Win32/PSW.OnLineGames.NOA trojan (unable to clean - deleted (after the next restart))   00000000000000000000000000000000


          i'm still scanning using SuperAntispyware. will post results asap. thanks
          Logged

          CBMatt

          • Mod & Malware Specialist


            • Prodigy

          • Sad and lonely...and loving every minute of it.
            • Thanked: 167
            • Yes
          • Experience: Experienced
          • OS: Windows 7
          Re: Help with Trojan-Psw.onlinegames
          « Reply #8 on: August 01, 2008, 02:35:37 AM »
          Once your scans are complete, try running HJT again to see if it'll work.  If it does, then be sure to post the log here.
          Logged
          Quote
          An undefined problem has an infinite number of solutions.
          —Robert A. Humphrey

          sieghart

            Topic Starter


            Rookie

            Re: Help with Trojan-Psw.onlinegames
            « Reply #9 on: August 01, 2008, 03:05:50 AM »
            Ok completed all scans i shall post the results here

            SUPERAntiSpyware Scan Log
            http://www.superantispyware.com

            Generated 08/01/2008 at 04:18 PM

            Application Version : 4.15.1000

            Core Rules Database Version : 3523
            Trace Rules Database Version: 1513

            Scan type       : Complete Scan
            Total Scan Time : 01:17:36

            Memory items scanned      : 528
            Memory threats detected   : 2
            Registry items scanned    : 5783
            Registry threats detected : 11
            File items scanned        : 80311
            File threats detected     : 30

            Trojan.Dropper/Game
               C:\WINDOWS\SYSTEM32\JHFRXZ.DLL
               C:\WINDOWS\SYSTEM32\JHFRXZ.DLL
               HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{7914E0AA-ECCB-4311-B584-C49538227824}
               HKCR\CLSID\{7914E0AA-ECCB-4311-B584-C49538227824}
               HKCR\CLSID\{7914E0AA-ECCB-4311-B584-C49538227824}
               HKCR\CLSID\{7914E0AA-ECCB-4311-B584-C49538227824}\InProcServer32
               HKCR\CLSID\{7914E0AA-ECCB-4311-B584-C49538227824}\InProcServer32#ThreadingModel
               C:\SYSTEM VOLUME INFORMATION\_RESTORE{6464E1B0-C722-4393-84D4-12168128031E}\RP321\A0035304.DLL
               C:\SYSTEM VOLUME INFORMATION\_RESTORE{6464E1B0-C722-4393-84D4-12168128031E}\RP323\A0036331.DLL

            Trojan.Dropper/Packed
               C:\WINDOWS\SYSTEM32\DEBUG.EXE
               C:\WINDOWS\SYSTEM32\DEBUG.EXE

            Unclassified.Unknown Origin
               HKLM\Software\Classes\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
               HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
               HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
               HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32
               HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32#ThreadingModel
               C:\WINDOWS\SYSTEM32\DDSERH.DLL
               HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{A9895933-6636-4281-BC58-EE6DE2AF96E3}

            Adware.Tracking Cookie
               C:\Documents and Settings\Sieghart\Cookies\sieghart@hitbox[1].txt
               C:\Documents and Settings\Sieghart\Cookies\[email protected][2].txt
               .imrworldwide.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .imrworldwide.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .doubleclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               ad.yieldmanager.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               ad.yieldmanager.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               ad.yieldmanager.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               ad.yieldmanager.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .hitbox.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .ehg-veohnetworksinc.hitbox.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .tribalfusion.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .specificclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .specificclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .specificclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .specificclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .zedo.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .zedo.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .statcounter.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .statcounter.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .adbrite.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .adbrite.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .imeem.112.2o7.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .clicknetwork.tv [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .clicknetwork.tv [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .atdmt.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .2o7.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               .adbrite.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
               C:\Documents and Settings\huishan\Cookies\huishan@2o7[1].txt
               C:\Documents and Settings\huishan\Cookies\[email protected][2].txt
               C:\Documents and Settings\huishan\Cookies\[email protected][1].txt
               C:\Documents and Settings\huishan\Cookies\huishan@adbrite[2].txt
               C:\Documents and Settings\huishan\Cookies\[email protected][2].txt
               C:\Documents and Settings\huishan\Cookies\huishan@atdmt[1].txt
               C:\Documents and Settings\huishan\Cookies\huishan@clicknetwork[1].txt
               C:\Documents and Settings\huishan\Cookies\huishan@doubleclick[1].txt
               C:\Documents and Settings\huishan\Cookies\[email protected][1].txt
               C:\Documents and Settings\huishan\Cookies\huishan@specificclick[2].txt
               C:\Documents and Settings\huishan\Cookies\huishan@statcounter[2].txt
               C:\Documents and Settings\huishan\Cookies\huishan@zedo[2].txt
               .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               .bs.serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               .doubleclick.net [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               .avgtechnologies.112.2o7.net [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
               C:\Documents and Settings\huiting\Cookies\huiting@2o7[2].txt
               C:\Documents and Settings\huiting\Cookies\[email protected][2].txt
               C:\Documents and Settings\huiting\Cookies\huiting@adbrite[1].txt
               C:\Documents and Settings\huiting\Cookies\[email protected][2].txt
               C:\Documents and Settings\huiting\Cookies\huiting@atdmt[2].txt
               C:\Documents and Settings\huiting\Cookies\huiting@casalemedia[2].txt
               C:\Documents and Settings\huiting\Cookies\huiting@clicknetwork[2].txt
               C:\Documents and Settings\huiting\Cookies\huiting@doubleclick[1].txt
               C:\Documents and Settings\huiting\Cookies\huiting@fastclick[2].txt
               C:\Documents and Settings\huiting\Cookies\huiting@specificclick[2].txt
               .imrworldwide.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
               .imrworldwide.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
               .ehg-eset.hitbox.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
               .hitbox.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
               .hitbox.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
               C:\Documents and Settings\Sieghart\Cookies\[email protected][1].txt
               media.adrevolver.com [ C:\Documents and Settings\Soon Seng\Application Data\Mozilla\Firefox\Profiles\tawu38kv.default\cookies.txt ]
            Logged

            sieghart

              Topic Starter


              Rookie

              Re: Help with Trojan-Psw.onlinegames
              « Reply #10 on: August 01, 2008, 03:09:01 AM »
              Malwarebytes' Anti-Malware 1.24
              Database version: 1014
              Windows 5.1.2600 Service Pack 2

              4:41:33 PM 8/1/2008
              mbam-log-8-1-2008 (16-41-33).txt

              Scan type: Quick Scan
              Objects scanned: 55855
              Time elapsed: 6 minute(s), 21 second(s)

              Memory Processes Infected: 0
              Memory Modules Infected: 0
              Registry Keys Infected: 120
              Registry Values Infected: 0
              Registry Data Items Infected: 0
              Folders Infected: 0
              Files Infected: 1

              Memory Processes Infected:
              (No malicious items detected)

              Memory Modules Infected:
              (No malicious items detected)

              Registry Keys Infected:
              HKEY_CLASSES_ROOT\activationmanager.activationmanager (Trojan.BHO) -> Quarantined and deleted successfully.
              HKEY_CLASSES_ROOT\activationmanager.activationmanager.1 (Trojan.BHO) -> Quarantined and deleted successfully.
              HKEY_CLASSES_ROOT\Interface\{831cbac4-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
              HKEY_CLASSES_ROOT\Typelib\{831cbac2-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
              HKEY_CURRENT_USER\SOFTWARE\ConnectionServices (Adware.BHO) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.EXE (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.EXE (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe (Security.Hijack) -> Quarantined and deleted successfully.
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe (Security.Hijack) -> Quarantined and deleted successfully.
              Logged

              sieghart

                Topic Starter


                Rookie

                Re: Help with Trojan-Psw.onlinegames
                « Reply #11 on: August 01, 2008, 03:09:35 AM »
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
                HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp (Security.Hijack) -> Quarantined and deleted successfully.

                Registry Values Infected:
                (No malicious items detected)

                Registry Data Items Infected:
                (No malicious items detected)

                Folders Infected:
                (No malicious items detected)

                Files Infected:
                C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
                Logged

                sieghart

                  Topic Starter


                  Rookie

                  Re: Help with Trojan-Psw.onlinegames
                  « Reply #12 on: August 01, 2008, 03:10:11 AM »
                  Logfile of Trend Micro HijackThis v2.0.2
                  Scan saved at 5:01:36 PM, on 8/1/2008
                  Platform: Windows XP SP2 (WinNT 5.01.2600)
                  MSIE: Internet Explorer v7.00 (7.00.6000.16674)
                  Boot mode: Normal

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\Ati2evxx.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\WINDOWS\system32\Ati2evxx.exe
                  C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                  C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
                  C:\WINDOWS\eHome\ehRecvr.exe
                  C:\WINDOWS\eHome\ehSched.exe
                  C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\PROGRA~1\AVG\AVG8\avgrsx.exe
                  C:\PROGRA~1\AVG\AVG8\avgemc.exe
                  C:\WINDOWS\system32\dllhost.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\WINDOWS\ehome\ehtray.exe
                  C:\WINDOWS\eHome\ehmsas.exe
                  C:\WINDOWS\RTHDCPL.EXE
                  C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
                  C:\Program Files\QuickTime\QTTask.exe
                  C:\Program Files\iTunes\iTunesHelper.exe
                  C:\PROGRA~1\AVG\AVG8\avgtray.exe
                  C:\WINDOWS\system32\ctfmon.exe
                  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                  C:\Program Files\iPod\bin\iPodService.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
                  C:\Program Files\ATI Technologies\ATI.ACE\mace.exe
                  C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
                  C:\WINDOWS\system32\msiexec.exe
                  C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
                  C:\Program Files\Mozilla Firefox\firefox.exe
                  C:\WINDOWS\system32\wuauclt.exe
                  C:\Program Files\Trend Micro\HijackThis\sniper.exe

                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
                  O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
                  O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                  O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
                  O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll
                  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
                  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
                  O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
                  O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
                  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
                  O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
                  O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
                  O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
                  O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
                  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
                  O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll
                  O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
                  O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
                  O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
                  O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
                  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
                  O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
                  O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
                  O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
                  O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
                  O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
                  O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
                  O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
                  O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
                  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
                  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
                  O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
                  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
                  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                  O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
                  O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                  O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
                  O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
                  O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
                  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
                  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
                  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
                  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
                  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                  O4 - Global Startup: hp psc 1000 series.lnk = ?
                  O4 - Global Startup: hpoddt01.exe.lnk = ?
                  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
                  O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
                  O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
                  O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
                  O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?c02d49201f3842b5bcc3fe3a48696181
                  O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?c02d49201f3842b5bcc3fe3a48696181
                  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
                  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
                  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                  O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll
                  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
                  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
                  O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
                  O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
                  O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
                  O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
                  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
                  O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
                  O20 - AppInit_DLLs: zsqf.dll,ytfa.dll,ytfb.dll,ytfc.dll,
                  O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
                  O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
                  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
                  O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
                  O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
                  O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
                  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
                  O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
                  O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
                  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
                  O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
                  O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
                  O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
                  O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

                  --
                  End of file - 11270 bytes
                  Logged

                  CBMatt

                  • Mod & Malware Specialist


                    • Prodigy

                  • Sad and lonely...and loving every minute of it.
                    • Thanked: 167
                    • Yes
                  • Experience: Experienced
                  • OS: Windows 7
                  Re: Help with Trojan-Psw.onlinegames
                  « Reply #13 on: August 01, 2008, 03:54:13 AM »
                  It looks like those scans probably helped quite a bit because your HJT log doesn't look too bad.  One of the main things I see is that you have the Dealio toolbar.  Many consider this to be adware/spyware, but it's not necessarily malicious, so whether or not you keep it is entirely up to you.

                  Now, your computer has been cleared of a New.Net infection, so I want you to open up your Add/Remove Programs and uninstall any instances of NewDotNet or New.Net Domains.  Then, download LSPFix from here.  Run the LSPFix.exe that you have just finished downloading and check the I know what I'm doing box.  In the Keep box, look for any instances of newdotnet6_38.dll.  If any exist, move them to the Remove box and click on the >> button.  When you are done, click Finish.  The entry may very well not exist, but we want to be sure.

                  Once that's done, I want you to download ComboFix.  Run the program (avoid clicking on the window or doing anything as it scans) and when the scan is complete (this could take 2 to 10 minutes), post the log here.  I want to make sure some of these files of yours aren't coming back.



                  Also, let us know if your computer's condition has improved at all or if you're still having the same problems.
                  Logged
                  Quote
                  An undefined problem has an infinite number of solutions.
                  —Robert A. Humphrey

                  sieghart

                    Topic Starter


                    Rookie

                    Re: Help with Trojan-Psw.onlinegames
                    « Reply #14 on: August 01, 2008, 04:20:21 AM »
                    i've removed the newdotnet6_38.dll using LSPfix.
                    heres the combofix log text.

                    ComboFix 08-07-31.01 - Sieghart 2008-08-01 18:08:13.1 - NTFSx86
                    Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1331 [GMT 8:00]
                    Running from: C:\Documents and Settings\Sieghart\My Documents\Softies\ComboFix.exe
                     * Created a new restore point

                    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
                    .

                    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
                    .

                    C:\WINDOWS\system32\_000006_.tmp.dll
                    C:\WINDOWS\system32\jdsaex.dll.LoG

                    .
                    (((((((((((((((((((((((((   Files Created from 2008-07-01 to 2008-08-01  )))))))))))))))))))))))))))))))
                    .

                    2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
                    2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\Malwarebytes
                    2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
                    2008-08-01 16:31 . 2008-07-30 20:07   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
                    2008-08-01 16:31 . 2008-07-30 20:07   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
                    2008-08-01 16:24 . 2008-08-01 16:24   <DIR>   d--hs----   C:\005627AA
                    2008-08-01 16:24 . 2008-08-01 16:24   <DIR>   d--hs----   C:\005622E7
                    2008-08-01 14:56 . 2008-08-01 14:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
                    2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
                    2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
                    2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\SUPERAntiSpyware.com
                    2008-08-01 14:50 . 2008-08-01 15:04   <DIR>   d--hs----   C:\00008760
                    2008-08-01 13:49 . 2008-08-01 14:39   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
                    2008-08-01 13:44 . 2008-08-01 13:58   <DIR>   d--hs----   C:\000077A1
                    2008-08-01 13:40 . 2008-08-01 13:40   <DIR>   d--hs----   C:\00006F63
                    2008-08-01 13:28 . 2008-08-01 13:28   <DIR>   d--------   C:\Program Files\Trend Micro
                    2008-08-01 13:20 . 2008-08-01 13:20   <DIR>   d--------   C:\Program Files\CCleaner
                    2008-08-01 12:12 . 2008-08-01 12:12   <DIR>   d--------   C:\Program Files\Sun
                    2008-08-01 11:22 . 2008-08-01 11:23   <DIR>   d--------   C:\Program Files\Spyware Doctor
                    2008-08-01 11:22 . 2008-08-01 11:22   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\PC Tools
                    2008-08-01 11:22 . 2008-06-10 21:22   81,288   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
                    2008-08-01 11:22 . 2008-06-02 15:19   66,952   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
                    2008-08-01 11:22 . 2008-06-02 15:19   42,376   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
                    2008-08-01 11:22 . 2008-06-02 15:19   29,576   --a------   C:\WINDOWS\system32\drivers\kcom.sys
                    2008-08-01 11:11 . 2008-08-01 12:42   <DIR>   d--hs----   C:\0000700F
                    2008-07-31 22:35 . 2008-08-01 11:16   <DIR>   d--hs----   C:\00006D21
                    2008-07-22 08:56 . 2008-07-22 09:00   <DIR>   d--------   C:\Documents and Settings\huiting\Application Data\AVGTOOLBAR
                    2008-07-21 11:54 . 2008-07-31 14:12   520   --a------   C:\hpfr3420.xml
                    2008-07-21 11:35 . 2004-10-08 09:16   35,840   --a------   C:\WINDOWS\system32\drivers\AFS2K.SYS
                    2008-07-21 11:32 . 2008-07-21 11:36   20,724   --a------   C:\WINDOWS\hpoins01.dat
                    2008-07-21 11:32 . 2002-12-03 11:54   16,618   ---------   C:\WINDOWS\hpomdl01.dat
                    2008-07-21 11:30 . 2002-11-27 19:30   94,208   -ra------   C:\WINDOWS\system32\hpovst08.dll
                    2008-07-14 09:44 . 2008-08-01 17:58   <DIR>   d--h-----   C:\$AVG8.VAULT$
                    2008-07-13 10:16 . 2008-08-01 11:12   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
                    2008-07-13 10:16 . 2008-07-16 02:12   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\AVGTOOLBAR
                    2008-07-13 10:16 . 2008-07-13 10:16   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
                    2008-07-13 10:16 . 2008-07-13 10:16   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
                    2008-07-13 10:16 . 2008-07-13 10:16   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
                    2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Program Files\AVG
                    2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
                    2008-07-11 14:35 . 2008-07-11 14:36   <DIR>   d--------   C:\Program Files\iTunes
                    2008-07-11 14:35 . 2008-07-11 14:35   <DIR>   d--------   C:\Program Files\iPod
                    2008-07-11 14:34 . 2008-07-11 14:34   <DIR>   d--------   C:\Program Files\QuickTime

                    .
                    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
                    .
                    2008-08-01 08:54   ---------   d-----w   C:\Program Files\Java
                    2008-08-01 06:53   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
                    2008-07-31 05:39   4,224   ----a-w   C:\WINDOWS\system32\drivers\beep.sys
                    2008-07-21 03:35   ---------   d-----w   C:\Program Files\Hewlett-Packard
                    2008-07-16 16:42   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\dvdcss
                    2008-07-14 11:26   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\uTorrent
                    2008-07-04 06:15   ---------   d-----w   C:\Program Files\Safari
                    2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
                    2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
                    2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
                    2008-06-19 04:43   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\IGN_DLM
                    2008-06-16 13:28   ---------   d-----w   C:\Program Files\MSXML 4.0
                    2008-06-16 06:15   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\Samsung
                    2008-06-16 06:10   5,632   ----a-w   C:\WINDOWS\system32\drivers\StarOpen.sys
                    2008-06-16 06:06   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
                    2008-06-16 06:06   ---------   d-----w   C:\Program Files\Samsung
                    2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
                    2008-06-10 13:40   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\AdobeUM
                    2008-06-10 13:13   ---------   d-----w   C:\Program Files\Common Files\Adobe
                    .

                    ------- Sigcheck -------

                    2007-10-08 19:21  502272  6225f14b8ce08ccba8b25ad27843c674   C:\WINDOWS\system32\winlogon.exe
                    .
                    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
                    .
                    .
                    *Note* empty entries & legit default entries are not shown
                    REGEDIT4

                    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 20:00 15360]
                    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 21:22 68856]
                    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 19:53 171464]
                    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
                    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 20:00 208952]
                    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
                    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
                    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
                    "GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 17:58 356352]
                    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
                    "StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 15:17 296631]
                    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
                    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
                    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
                    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 10:15 1232152]
                    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
                    "SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
                    "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 16261632 C:\WINDOWS\RTHDCPL.exe]

                    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-15 20:00 15360]

                    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
                    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
                    hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
                    hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
                    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
                    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
                    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

                    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
                    2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

                    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
                    "VIDC.MFZ0"= MyFlashZip0.ax
                    "msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm

                    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
                    "AntiVirusDisableNotify"=dword:00000001

                    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
                    "DisableMonitoring"=dword:00000001

                    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
                    "EnableFirewall"= 0 (0x0)

                    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                    "%windir%\\system32\\sessmgr.exe"=
                    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
                    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
                    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
                    "C:\\Program Files\\uTorrent\\utorrent.exe"=
                    "C:\\Documents and Settings\\Sieghart\\My Documents\\Softies\\2448Script\\2448Script\\Mirc.exe"=
                    "C:\\Program Files\\iTunes\\iTunes.exe"=
                    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
                    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

                    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
                    "6112:TCP"= 6112:TCP:hamachi

                    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-13 10:16]
                    R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-13 10:15]
                    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 10:15]
                    R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-13 10:16]
                    S3 FUCKALLGUARD;FUCKALLGUARD;C:\00E74EB8\00E74EC0 []

                    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10dc5bb6-7ae4-11dc-b8ff-001a4d629181}]
                    \Shell\AutoRun\command - N:\Autorun.exe

                    *Newly Created Service* - BEEP
                    .
                    Contents of the 'Scheduled Tasks' folder

                    2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
                    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

                    2008-08-01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
                    - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

                    2008-07-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1216611367.job
                    - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]
                    .
                    - - - - ORPHANS REMOVED - - - -

                    HKCU-Run-Utopia Angel - C:\Utopia\Angel\Angel.exe
                    Notify-WgaLogon - (no file)


                    .
                    ------- Supplementary Scan -------
                    .
                    FireFox -: Profile - C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\
                    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
                    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


                    **************************************************************************

                    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                    Rootkit scan 2008-08-01 18:13:22
                    Windows 5.1.2600 Service Pack 2 NTFS

                    scanning hidden processes ...

                    scanning hidden autostart entries ...

                    scanning hidden files ...

                    scan completed successfully
                    hidden files: 0

                    **************************************************************************

                    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FUCKALLGUARD]
                    "ImagePath"="\??\C:\00E74EB8\00E74EC0"
                    .
                    ------------------------ Other Running Processes ------------------------
                    .
                    C:\WINDOWS\system32\ati2evxx.exe
                    C:\WINDOWS\system32\ati2evxx.exe
                    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                    C:\WINDOWS\ehome\ehRecvr.exe
                    C:\WINDOWS\ehome\ehSched.exe
                    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
                    C:\Program Files\AVG\AVG8\avgrsx.exe
                    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                    C:\WINDOWS\system32\dllhost.exe
                    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
                    C:\WINDOWS\ehome\ehmsas.exe
                    C:\Program Files\iPod\bin\iPodService.exe
                    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
                    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
                    C:\WINDOWS\system32\wscntfy.exe
                    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
                    C:\Program Files\ATI Technologies\ATI.ACE\Mace.exe
                    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
                    .
                    **************************************************************************
                    .
                    Completion time: 2008-08-01 18:16:10 - machine was rebooted
                    ComboFix-quarantined-files.txt  2008-08-01 10:16:07

                    Pre-Run: 60,367,642,624 bytes free
                    Post-Run: 61,587,128,320 bytes free

                    209   --- E O F ---   2008-07-22 01:11:08
                    Logged
                    Pages: [1] 2 3  All   Go Up
                    « previous next »