Author Topic: Help with Trojan-Psw.onlinegames (Read 11564 times)

sieghart · « **on:** July 31, 2008, 11:07:18 PM »

hi, this 2 days when i startup my windows, i keep getting alerts frm my AVg resident shield. showing that my com has been infected with Trojan-PSW.onlinegames.JJ , Trojan-PSW.GEN other similar threats. they were deleted. but whenever i rebooted, i received the same trojan alerts again. What shld i do to remove these trojans for good?

kuszmania9999 · « **Reply #1 on:** July 31, 2008, 11:12:02 PM »

install, update, and run a full scan in safe mode

Quote

Posting advice without having the title "Malware Removal Specialist" under your user name in the Computer Viruses and Spyware forum will get your post edited or deleted as the wrong advice is too risky for the users we are trying to help.
http://www.computerhope.com/forum/index.php/topic,57605.0.html

Any questions PM evilfantasy

evilfantasy · « **Reply #2 on:** July 31, 2008, 11:13:45 PM »

Welcome to Computer Hope!

Please don't use abbreviations or txt talk. I have to understand exactly what your describing to help you fix this. Some things you might need to do will be very important and you don't want me misunderstanding you and potentially remove the wrong thing from the PC

That said, please go here and read the instructions to the guide to getting started. Post the logs when complete and we will see what's going on with your PC.

sieghart · « **Reply #3 on:** July 31, 2008, 11:24:46 PM »

i've installed CCleaner just now, but i cant open it. It gives me this message:

"The application or DLL C:\WINDOWS\system32\pedadt.dll is not a valid windows image. Please check this against your installation diskette."

what might be happening? thanks in advance.

evilfantasy · « **Reply #4 on:** July 31, 2008, 11:27:34 PM »

Try this.

Download and rename TrendMicro HijackThis.exe (HJT)

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.

Important! If using Windows Vista, Right-click and Run As Administrator
Click on the Do a system scan and save a log file button
HijackThis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

sieghart · « **Reply #5 on:** July 31, 2008, 11:35:45 PM »

i've installed HJT. but when i click on it, nothing happens. I tried to open the task manager to see if it's running, but now even task manager doesnt open, what should i do next?

evilfantasy · « **Reply #6 on:** July 31, 2008, 11:41:02 PM »

Try this.

Run this online scan. Requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply

sieghart · « **Reply #7 on:** August 01, 2008, 02:21:47 AM »

ok, i've rebooted and got CCleaner to run and completed. I did the Eset antivirus scan and here's the log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3316 (20080731)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=72ab085182bb4f4db252e030ec8c581b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-01 08:10:11
# local_time=2008-08-01 04:10:11 (+0800, Malay Peninsula Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=303769
# found=1
# scan_time=3853
C:\WINDOWS\system32\jhfrxz.dll a variant of Win32/PSW.OnLineGames.NOA trojan (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000

i'm still scanning using SuperAntispyware. will post results asap. thanks

CBMatt · « **Reply #8 on:** August 01, 2008, 02:35:37 AM »

Once your scans are complete, try running HJT again to see if it'll work. If it does, then be sure to post the log here.

sieghart · « **Reply #9 on:** August 01, 2008, 03:05:50 AM »

Ok completed all scans i shall post the results here

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/01/2008 at 04:18 PM

Application Version : 4.15.1000

Core Rules Database Version : 3523
Trace Rules Database Version: 1513

Scan type : Complete Scan
Total Scan Time : 01:17:36

Memory items scanned : 528
Memory threats detected : 2
Registry items scanned : 5783
Registry threats detected : 11
File items scanned : 80311
File threats detected : 30

Trojan.Dropper/Game
   C:\WINDOWS\SYSTEM32\JHFRXZ.DLL
   C:\WINDOWS\SYSTEM32\JHFRXZ.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{7914E0AA-ECCB-4311-B584-C49538227824}
   HKCR\CLSID\{7914E0AA-ECCB-4311-B584-C49538227824}
   HKCR\CLSID\{7914E0AA-ECCB-4311-B584-C49538227824}
   HKCR\CLSID\{7914E0AA-ECCB-4311-B584-C49538227824}\InProcServer32
   HKCR\CLSID\{7914E0AA-ECCB-4311-B584-C49538227824}\InProcServer32#ThreadingModel
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{6464E1B0-C722-4393-84D4-12168128031E}\RP321\A0035304.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{6464E1B0-C722-4393-84D4-12168128031E}\RP323\A0036331.DLL

Trojan.Dropper/Packed
   C:\WINDOWS\SYSTEM32\DEBUG.EXE
   C:\WINDOWS\SYSTEM32\DEBUG.EXE

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
   HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
   HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}
   HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32
   HKCR\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\DDSERH.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{A9895933-6636-4281-BC58-EE6DE2AF96E3}

Adware.Tracking Cookie
   C:\Documents and Settings\Sieghart\Cookies\sieghart@hitbox[1].txt
   C:\Documents and Settings\Sieghart\Cookies\[email protected][2].txt
   .imrworldwide.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .imrworldwide.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .doubleclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .hitbox.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .ehg-veohnetworksinc.hitbox.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .tribalfusion.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .specificclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .specificclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .specificclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .specificclick.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .zedo.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .zedo.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .statcounter.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .statcounter.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .adbrite.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .adbrite.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .imeem.112.2o7.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .clicknetwork.tv [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .clicknetwork.tv [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .atdmt.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .2o7.net [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   .adbrite.com [ C:\Documents and Settings\huishan\Application Data\Mozilla\Firefox\Profiles\xns5g0cz.default\cookies.txt ]
   C:\Documents and Settings\huishan\Cookies\huishan@2o7[1].txt
   C:\Documents and Settings\huishan\Cookies\[email protected][2].txt
   C:\Documents and Settings\huishan\Cookies\[email protected][1].txt
   C:\Documents and Settings\huishan\Cookies\huishan@adbrite[2].txt
   C:\Documents and Settings\huishan\Cookies\[email protected][2].txt
   C:\Documents and Settings\huishan\Cookies\huishan@atdmt[1].txt
   C:\Documents and Settings\huishan\Cookies\huishan@clicknetwork[1].txt
   C:\Documents and Settings\huishan\Cookies\huishan@doubleclick[1].txt
   C:\Documents and Settings\huishan\Cookies\[email protected][1].txt
   C:\Documents and Settings\huishan\Cookies\huishan@specificclick[2].txt
   C:\Documents and Settings\huishan\Cookies\huishan@statcounter[2].txt
   C:\Documents and Settings\huishan\Cookies\huishan@zedo[2].txt
   .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   .bs.serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   .doubleclick.net [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   .avgtechnologies.112.2o7.net [ C:\Documents and Settings\huiting\Application Data\Mozilla\Firefox\Profiles\zqqfqed9.default\cookies.txt ]
   C:\Documents and Settings\huiting\Cookies\huiting@2o7[2].txt
   C:\Documents and Settings\huiting\Cookies\[email protected][2].txt
   C:\Documents and Settings\huiting\Cookies\huiting@adbrite[1].txt
   C:\Documents and Settings\huiting\Cookies\[email protected][2].txt
   C:\Documents and Settings\huiting\Cookies\huiting@atdmt[2].txt
   C:\Documents and Settings\huiting\Cookies\huiting@casalemedia[2].txt
   C:\Documents and Settings\huiting\Cookies\huiting@clicknetwork[2].txt
   C:\Documents and Settings\huiting\Cookies\huiting@doubleclick[1].txt
   C:\Documents and Settings\huiting\Cookies\huiting@fastclick[2].txt
   C:\Documents and Settings\huiting\Cookies\huiting@specificclick[2].txt
   .imrworldwide.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
   .imrworldwide.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
   .ehg-eset.hitbox.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
   .hitbox.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
   .hitbox.com [ C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\cookies.txt ]
   C:\Documents and Settings\Sieghart\Cookies\[email protected][1].txt
   media.adrevolver.com [ C:\Documents and Settings\Soon Seng\Application Data\Mozilla\Firefox\Profiles\tawu38kv.default\cookies.txt ]

sieghart · « **Reply #10 on:** August 01, 2008, 03:09:01 AM »

Malwarebytes' Anti-Malware 1.24
Database version: 1014
Windows 5.1.2600 Service Pack 2

4:41:33 PM 8/1/2008
mbam-log-8-1-2008 (16-41-33).txt

Scan type: Quick Scan
Objects scanned: 55855
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 120
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\activationmanager.activationmanager (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\activationmanager.activationmanager.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{831cbac4-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{831cbac2-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ConnectionServices (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe (Security.Hijack) -> Quarantined and deleted successfully.

sieghart · « **Reply #11 on:** August 01, 2008, 03:09:35 AM »

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

sieghart · « **Reply #12 on:** August 01, 2008, 03:10:11 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:36 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\mace.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?c02d49201f3842b5bcc3fe3a48696181
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?c02d49201f3842b5bcc3fe3a48696181
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: zsqf.dll,ytfa.dll,ytfb.dll,ytfc.dll,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11270 bytes

CBMatt · « **Reply #13 on:** August 01, 2008, 03:54:13 AM »

It looks like those scans probably helped quite a bit because your HJT log doesn't look too bad. One of the main things I see is that you have the Dealio toolbar. Many consider this to be adware/spyware, but it's not necessarily malicious, so whether or not you keep it is entirely up to you.

Now, your computer has been cleared of a New.Net infection, so I want you to open up your Add/Remove Programs and uninstall any instances of NewDotNet or New.Net Domains. Then, download LSPFix from here. Run the LSPFix.exe that you have just finished downloading and check the I know what I'm doing box. In the Keep box, look for any instances of newdotnet6_38.dll. If any exist, move them to the Remove box and click on the >> button. When you are done, click Finish. The entry may very well not exist, but we want to be sure.

Once that's done, I want you to download ComboFix. Run the program (avoid clicking on the window or doing anything as it scans) and when the scan is complete (this could take 2 to 10 minutes), post the log here. I want to make sure some of these files of yours aren't coming back.

Also, let us know if your computer's condition has improved at all or if you're still having the same problems.

sieghart · « **Reply #14 on:** August 01, 2008, 04:20:21 AM »

i've removed the newdotnet6_38.dll using LSPfix.
heres the combofix log text.

ComboFix 08-07-31.01 - Sieghart 2008-08-01 18:08:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1331 [GMT 8:00]
Running from: C:\Documents and Settings\Sieghart\My Documents\Softies\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\jdsaex.dll.LoG

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-07-30 20:07   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 16:31 . 2008-07-30 20:07   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 16:24 . 2008-08-01 16:24   <DIR>   d--hs----   C:\005627AA
2008-08-01 16:24 . 2008-08-01 16:24   <DIR>   d--hs----   C:\005622E7
2008-08-01 14:56 . 2008-08-01 14:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\SUPERAntiSpyware.com
2008-08-01 14:50 . 2008-08-01 15:04   <DIR>   d--hs----   C:\00008760
2008-08-01 13:49 . 2008-08-01 14:39   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
2008-08-01 13:44 . 2008-08-01 13:58   <DIR>   d--hs----   C:\000077A1
2008-08-01 13:40 . 2008-08-01 13:40   <DIR>   d--hs----   C:\00006F63
2008-08-01 13:28 . 2008-08-01 13:28   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-01 13:20 . 2008-08-01 13:20   <DIR>   d--------   C:\Program Files\CCleaner
2008-08-01 12:12 . 2008-08-01 12:12   <DIR>   d--------   C:\Program Files\Sun
2008-08-01 11:22 . 2008-08-01 11:23   <DIR>   d--------   C:\Program Files\Spyware Doctor
2008-08-01 11:22 . 2008-08-01 11:22   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\PC Tools
2008-08-01 11:22 . 2008-06-10 21:22   81,288   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-01 11:22 . 2008-06-02 15:19   66,952   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-01 11:22 . 2008-06-02 15:19   42,376   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-01 11:22 . 2008-06-02 15:19   29,576   --a------   C:\WINDOWS\system32\drivers\kcom.sys
2008-08-01 11:11 . 2008-08-01 12:42   <DIR>   d--hs----   C:\0000700F
2008-07-31 22:35 . 2008-08-01 11:16   <DIR>   d--hs----   C:\00006D21
2008-07-22 08:56 . 2008-07-22 09:00   <DIR>   d--------   C:\Documents and Settings\huiting\Application Data\AVGTOOLBAR
2008-07-21 11:54 . 2008-07-31 14:12   520   --a------   C:\hpfr3420.xml
2008-07-21 11:35 . 2004-10-08 09:16   35,840   --a------   C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-07-21 11:32 . 2008-07-21 11:36   20,724   --a------   C:\WINDOWS\hpoins01.dat
2008-07-21 11:32 . 2002-12-03 11:54   16,618   ---------   C:\WINDOWS\hpomdl01.dat
2008-07-21 11:30 . 2002-11-27 19:30   94,208   -ra------   C:\WINDOWS\system32\hpovst08.dll
2008-07-14 09:44 . 2008-08-01 17:58   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-13 10:16 . 2008-08-01 11:12   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-07-13 10:16 . 2008-07-16 02:12   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\AVGTOOLBAR
2008-07-13 10:16 . 2008-07-13 10:16   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-13 10:16 . 2008-07-13 10:16   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 10:16 . 2008-07-13 10:16   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Program Files\AVG
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-11 14:35 . 2008-07-11 14:36   <DIR>   d--------   C:\Program Files\iTunes
2008-07-11 14:35 . 2008-07-11 14:35   <DIR>   d--------   C:\Program Files\iPod
2008-07-11 14:34 . 2008-07-11 14:34   <DIR>   d--------   C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 08:54   ---------   d-----w   C:\Program Files\Java
2008-08-01 06:53   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 05:39   4,224   ----a-w   C:\WINDOWS\system32\drivers\beep.sys
2008-07-21 03:35   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-07-16 16:42   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\dvdcss
2008-07-14 11:26   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\uTorrent
2008-07-04 06:15   ---------   d-----w   C:\Program Files\Safari
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 04:43   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\IGN_DLM
2008-06-16 13:28   ---------   d-----w   C:\Program Files\MSXML 4.0
2008-06-16 06:15   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\Samsung
2008-06-16 06:10   5,632   ----a-w   C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-16 06:06   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-16 06:06   ---------   d-----w   C:\Program Files\Samsung
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:40   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\AdobeUM
2008-06-10 13:13   ---------   d-----w   C:\Program Files\Common Files\Adobe
.

------- Sigcheck -------

2007-10-08 19:21 502272 6225f14b8ce08ccba8b25ad27843c674   C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 21:22 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 19:53 171464]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 17:58 356352]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 15:17 296631]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 10:15 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 16261632 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-15 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MFZ0"= MyFlashZip0.ax
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Documents and Settings\\Sieghart\\My Documents\\Softies\\2448Script\\2448Script\\Mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:hamachi

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-13 10:16]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-13 10:15]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 10:15]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-13 10:16]
S3 FUCKALLGUARD;FUCKALLGUARD;C:\00E74EB8\00E74EC0 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10dc5bb6-7ae4-11dc-b8ff-001a4d629181}]
\Shell\AutoRun\command - N:\Autorun.exe

*Newly Created Service* - BEEP
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-07-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1216611367.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Utopia Angel - C:\Utopia\Angel\Angel.exe
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 18:13:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FUCKALLGUARD]
"ImagePath"="\??\C:\00E74EB8\00E74EC0"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Mace.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-08-01 18:16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 10:16:07

Pre-Run: 60,367,642,624 bytes free
Post-Run: 61,587,128,320 bytes free

209   --- E O F ---   2008-07-22 01:11:08

evilfantasy · « **Reply #15 on:** August 01, 2008, 03:51:24 PM »

Please go to C:\Documents and Settings\Sieghart\My Documents\Softies\ComboFix.exe and right click on ComboFix.exe then Delete it.

It is very important for ComboFix to install directly to your desktop.

Now please download Combofix by sUBs from one of the below links.

Please be sure ComboFix is saved directly to the Desktop.

.
Let us know when you have done this.

sieghart · « **Reply #16 on:** August 01, 2008, 09:07:39 PM »

ok i've downloaded it and ran the program:

ComboFix 08-07-31.06 - Sieghart 2008-08-02 11:02:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1448 [GMT 8:00]
Running from: C:\Documents and Settings\Sieghart\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-08-01 20:26 . 2008-08-01 20:27   <DIR>   d--hs----   C:\000FE3A0
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-07-30 20:07   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 16:31 . 2008-07-30 20:07   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 16:24 . 2008-08-01 16:24   <DIR>   d--hs----   C:\005627AA
2008-08-01 16:24 . 2008-08-01 16:24   <DIR>   d--hs----   C:\005622E7
2008-08-01 14:56 . 2008-08-01 14:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\SUPERAntiSpyware.com
2008-08-01 14:50 . 2008-08-01 20:54   <DIR>   d--hs----   C:\00008760
2008-08-01 13:49 . 2008-08-01 14:39   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
2008-08-01 13:44 . 2008-08-01 20:55   <DIR>   d--hs----   C:\000077A1
2008-08-01 13:40 . 2008-08-01 13:40   <DIR>   d--hs----   C:\00006F63
2008-08-01 13:28 . 2008-08-01 13:28   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-01 13:20 . 2008-08-01 13:20   <DIR>   d--------   C:\Program Files\CCleaner
2008-08-01 12:12 . 2008-08-01 12:12   <DIR>   d--------   C:\Program Files\Sun
2008-08-01 11:22 . 2008-08-01 11:23   <DIR>   d--------   C:\Program Files\Spyware Doctor
2008-08-01 11:22 . 2008-08-01 11:22   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\PC Tools
2008-08-01 11:22 . 2008-06-10 21:22   81,288   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-01 11:22 . 2008-06-02 15:19   66,952   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-01 11:22 . 2008-06-02 15:19   42,376   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-01 11:22 . 2008-06-02 15:19   29,576   --a------   C:\WINDOWS\system32\drivers\kcom.sys
2008-08-01 11:11 . 2008-08-01 20:55   <DIR>   d--hs----   C:\0000700F
2008-07-31 22:35 . 2008-08-01 20:55   <DIR>   d--hs----   C:\00006D21
2008-07-22 08:56 . 2008-07-22 09:00   <DIR>   d--------   C:\Documents and Settings\huiting\Application Data\AVGTOOLBAR
2008-07-21 11:54 . 2008-07-31 14:12   520   --a------   C:\hpfr3420.xml
2008-07-21 11:35 . 2004-10-08 09:16   35,840   --a------   C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-07-21 11:32 . 2008-07-21 11:36   20,724   --a------   C:\WINDOWS\hpoins01.dat
2008-07-21 11:32 . 2002-12-03 11:54   16,618   ---------   C:\WINDOWS\hpomdl01.dat
2008-07-21 11:30 . 2002-11-27 19:30   94,208   -ra------   C:\WINDOWS\system32\hpovst08.dll
2008-07-14 09:44 . 2008-08-01 17:58   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-13 10:16 . 2008-08-02 09:13   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-07-13 10:16 . 2008-07-16 02:12   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\AVGTOOLBAR
2008-07-13 10:16 . 2008-07-13 10:16   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-13 10:16 . 2008-07-13 10:16   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 10:16 . 2008-07-13 10:16   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Program Files\AVG
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-11 14:35 . 2008-07-11 14:36   <DIR>   d--------   C:\Program Files\iTunes
2008-07-11 14:35 . 2008-07-11 14:35   <DIR>   d--------   C:\Program Files\iPod
2008-07-11 14:34 . 2008-07-11 14:34   <DIR>   d--------   C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 12:26   4,224   ----a-w   C:\WINDOWS\system32\drivers\beep.sys
2008-08-01 08:54   ---------   d-----w   C:\Program Files\Java
2008-08-01 06:53   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-21 03:35   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-07-16 16:42   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\dvdcss
2008-07-14 11:26   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\uTorrent
2008-07-04 06:15   ---------   d-----w   C:\Program Files\Safari
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 04:43   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\IGN_DLM
2008-06-16 13:28   ---------   d-----w   C:\Program Files\MSXML 4.0
2008-06-16 06:15   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\Samsung
2008-06-16 06:10   5,632   ----a-w   C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-16 06:06   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-16 06:06   ---------   d-----w   C:\Program Files\Samsung
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:40   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\AdobeUM
2008-06-10 13:13   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
.

------- Sigcheck -------

2007-10-08 19:21 502272 6225f14b8ce08ccba8b25ad27843c674   C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-01_18.15.56.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-31 05:39:07   4,224   -c--a-w   C:\WINDOWS\system32\dllcache\beep.sys
+ 2008-08-01 12:26:48   4,224   -c--a-w   C:\WINDOWS\system32\dllcache\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 21:22 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 19:53 171464]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 17:58 356352]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 15:17 296631]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 10:15 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 16261632 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-15 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MFZ0"= MyFlashZip0.ax
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Documents and Settings\\Sieghart\\My Documents\\Softies\\2448Script\\2448Script\\Mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:hamachi

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-13 10:16]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-13 10:15]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 10:15]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-13 10:16]
S3 FUCKALLGUARD;FUCKALLGUARD;C:\00E74EB8\00E74EC0 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10dc5bb6-7ae4-11dc-b8ff-001a4d629181}]
\Shell\AutoRun\command - N:\Autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-07-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1216611367.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 11:04:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FUCKALLGUARD]
"ImagePath"="\??\C:\00E74EB8\00E74EC0"
.
Completion time: 2008-08-02 11:05:15
ComboFix-quarantined-files.txt 2008-08-02 03:05:11
ComboFix2.txt 2008-08-01 10:16:11

Pre-Run: 61,563,199,488 bytes free
Post-Run: 61,557,268,480 bytes free

185   --- E O F ---   2008-07-22 01:11:08

evilfantasy · « **Reply #17 on:** August 01, 2008, 09:34:58 PM »

Do you know what these folders are?

C:\000FE3A0
C:\005627AA
C:\005622E7
C:\00008760
C:\000077A1
C:\00006F63
C:\0000700F
C:\00006D21

Also do you know why this registry key has this name?

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FUCKALLGUARD]

sieghart · « **Reply #18 on:** August 02, 2008, 03:16:49 AM »

as much as it puzzles me, i dont recall creating these files at all, especially the registry key. But i know that those numbered files in C：\ were coming up as threats in my AVG, as Trojan-PSW.onlinegames. And it seems everytime i deleted it with AVG, it would reappear on reboot.

evilfantasy · « **Reply #19 on:** August 02, 2008, 03:58:28 AM »

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

Click Start , then Run
Type notepad.exe in the Run Box.

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\000FE3A0
C:\005627AA
C:\005622E7
C:\00008760
C:\000077A1
C:\00006F63
C:\0000700F
C:\00006D21

Registry::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FUCKALLGUARD]
"ImagePath"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

sieghart · « **Reply #20 on:** August 03, 2008, 03:02:44 AM »

ComboFix 08-07-31.06 - Sieghart 2008-08-03 16:51:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1625 [GMT 8:00]
Running from: C:\Documents and Settings\Sieghart\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sieghart\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\00006D21
C:\00006F63
C:\00006F63\28523
C:\0000700F
C:\000077A1
C:\00008760
C:\000FE3A0
C:\005622E7
C:\005627AA
C:\005627AA\5646258

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-07-30 20:07   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 16:31 . 2008-07-30 20:07   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 14:56 . 2008-08-01 14:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\SUPERAntiSpyware.com
2008-08-01 13:49 . 2008-08-01 14:39   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
2008-08-01 13:28 . 2008-08-01 13:28   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-01 13:20 . 2008-08-01 13:20   <DIR>   d--------   C:\Program Files\CCleaner
2008-08-01 12:12 . 2008-08-01 12:12   <DIR>   d--------   C:\Program Files\Sun
2008-08-01 11:22 . 2008-08-01 11:23   <DIR>   d--------   C:\Program Files\Spyware Doctor
2008-08-01 11:22 . 2008-08-01 11:22   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\PC Tools
2008-08-01 11:22 . 2008-06-10 21:22   81,288   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-01 11:22 . 2008-06-02 15:19   66,952   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-01 11:22 . 2008-06-02 15:19   42,376   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-01 11:22 . 2008-06-02 15:19   29,576   --a------   C:\WINDOWS\system32\drivers\kcom.sys
2008-07-22 08:56 . 2008-07-22 09:00   <DIR>   d--------   C:\Documents and Settings\huiting\Application Data\AVGTOOLBAR
2008-07-21 11:54 . 2008-07-31 14:12   520   --a------   C:\hpfr3420.xml
2008-07-21 11:35 . 2004-10-08 09:16   35,840   --a------   C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-07-21 11:32 . 2008-07-21 11:36   20,724   --a------   C:\WINDOWS\hpoins01.dat
2008-07-21 11:32 . 2002-12-03 11:54   16,618   ---------   C:\WINDOWS\hpomdl01.dat
2008-07-21 11:30 . 2002-11-27 19:30   94,208   -ra------   C:\WINDOWS\system32\hpovst08.dll
2008-07-14 09:44 . 2008-08-01 17:58   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-13 10:16 . 2008-08-03 12:11   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-07-13 10:16 . 2008-07-16 02:12   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\AVGTOOLBAR
2008-07-13 10:16 . 2008-07-13 10:16   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-13 10:16 . 2008-07-13 10:16   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 10:16 . 2008-07-13 10:16   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Program Files\AVG
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-11 14:35 . 2008-07-11 14:36   <DIR>   d--------   C:\Program Files\iTunes
2008-07-11 14:35 . 2008-07-11 14:35   <DIR>   d--------   C:\Program Files\iPod
2008-07-11 14:34 . 2008-07-11 14:34   <DIR>   d--------   C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 12:26   4,224   ----a-w   C:\WINDOWS\system32\drivers\beep.sys
2008-08-01 08:54   ---------   d-----w   C:\Program Files\Java
2008-08-01 06:53   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-21 03:35   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-07-16 16:42   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\dvdcss
2008-07-14 11:26   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\uTorrent
2008-07-04 06:15   ---------   d-----w   C:\Program Files\Safari
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 04:43   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\IGN_DLM
2008-06-16 13:28   ---------   d-----w   C:\Program Files\MSXML 4.0
2008-06-16 06:15   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\Samsung
2008-06-16 06:10   5,632   ----a-w   C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-16 06:06   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-16 06:06   ---------   d-----w   C:\Program Files\Samsung
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:40   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\AdobeUM
2008-06-10 13:13   ---------   d-----w   C:\Program Files\Common Files\Adobe
.

------- Sigcheck -------

2007-10-08 19:21 502272 6225f14b8ce08ccba8b25ad27843c674   C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-01_18.15.56.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-31 05:39:07   4,224   -c--a-w   C:\WINDOWS\system32\dllcache\beep.sys
+ 2008-08-01 12:26:48   4,224   -c--a-w   C:\WINDOWS\system32\dllcache\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 21:22 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 19:53 171464]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 17:58 356352]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 15:17 296631]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 10:15 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 16261632 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-15 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MFZ0"= MyFlashZip0.ax
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Documents and Settings\\Sieghart\\My Documents\\Softies\\2448Script\\2448Script\\Mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:hamachi

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-13 10:16]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-13 10:15]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 10:15]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-13 10:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10dc5bb6-7ae4-11dc-b8ff-001a4d629181}]
\Shell\AutoRun\command - N:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-07-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1216611367.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 16:56:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Mace.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-08-03 16:59:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 08:59:26
ComboFix2.txt 2008-08-02 03:05:16
ComboFix3.txt 2008-08-01 10:16:11

Pre-Run: 61,434,777,600 bytes free
Post-Run: 61,517,467,648 bytes free

202   --- E O F ---   2008-07-22 01:11:08

evilfantasy · « **Reply #21 on:** August 03, 2008, 03:09:37 AM »

Do you have two antivirus installed? Symantec and AVG.

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.

.
----------

Uninstall ComboFix, we are done with it and it isn't a safe tool to keep on the PC.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
----------

Use the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.

Click on SCAN NOW
Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save
Save the file to your desktop.

.
Post the Kaspersky log in your next reply.

sieghart · « **Reply #22 on:** August 04, 2008, 08:14:17 AM »

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 09:57:38
Records in database: 1052395
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\
   F:\
   G:\
   H:\
   I:\
   J:\
   K:\
   L:\
   M:\

Scan statistics:
   Files scanned: 64710
   Threat name: 2
   Infected objects: 4
   Suspicious objects: 0
   Duration of the scan: 01:10:49

File name / Threat name / Threats count
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script\Mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script.zip   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C56X012D\laco1[1].exe   Infected: Trojan-GameThief.Win32.OnLineGames.siyn   1

The selected area was scanned.

evilfantasy · « **Reply #23 on:** August 04, 2008, 12:44:28 PM »

Download OTMoveIt2 by OldTimer

Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script\Mirc.exe   
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script.exe   
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script.zip   
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C56X012D\laco1[1].exe 
EmptyTemp
[start explorer]

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
Close OTMoveIt2

.
----------

How is everything now?

sieghart · « **Reply #24 on:** August 04, 2008, 09:35:30 PM »

can i not remove the mirc program? i know what it's for and kaspersky stated it's not a virus, just that i dont know why it's singled out as a threat.

evilfantasy · « **Reply #25 on:** August 04, 2008, 10:20:42 PM »

I'm pretty sure that's not the legitimate Mirc program.

http://www.bleepingcomputer.com/startups/mirc.exe-12046.html

http://www.threatexpert.com/files/mirc.exe.html

You can scan it at VirusTotal if you would like to be sure.

Scan Suspicious File(s)

Use the VirusTotal.com - Multi engine on-line virus scanner

Copy the file path in the below Code box:

Code: [Select]

C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script\Mirc.exe

At the upload site, click once inside the window next to Browse.
Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
Next click Send File
- Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
Copy and then Paste the link to the results in the next reply.

sieghart · « **Reply #26 on:** August 04, 2008, 11:03:48 PM »

Heres the link:
http://www.virustotal.com/analisis/ed666cd3fcf03018b248aa1637270b9e

evilfantasy · « **Reply #27 on:** August 04, 2008, 11:42:11 PM »

Is this folder where you have the mirc installed?

C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script

sieghart · « **Reply #28 on:** August 05, 2008, 11:10:52 PM »

evilfantasy · « **Reply #29 on:** August 05, 2008, 11:15:24 PM »

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

----------

Please keep these programs up-to-date and run them whenever you suspect a problem. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

CBMatt · « **Reply #30 on:** August 08, 2008, 08:58:01 PM »

As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Computer Hope Forum

News:

Author Topic: Help with Trojan-Psw.onlinegames (Read 11564 times)

sieghart

kuszmania9999

evilfantasy

sieghart

evilfantasy

sieghart

evilfantasy

sieghart

CBMatt

sieghart

sieghart

sieghart

sieghart

CBMatt

sieghart

evilfantasy

sieghart

evilfantasy

sieghart

evilfantasy

sieghart

evilfantasy

sieghart

evilfantasy

sieghart

evilfantasy

sieghart

evilfantasy

sieghart

evilfantasy

CBMatt