Hi there,

I'm still new with this site and i need someone from here to solve my laptop problem.

I cannot open the IE and System/Control Panel after i save the file from Widows Antivirus,

I don't know whether this software a real one or just a bait for them to 'slash' my laptop.

Now i'm using mozzila firefox to surf the net. I already download SUPER ANTI SPYWARE

FREE EDITION to remove the viruses/trojan. I hope someone from this site can help me to

reinstate my laptop as previous one.

Yesterday i download Trend Micro Hijack This Software and here is my hijack log file :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:32, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet 0.96\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet 0.96\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet 0.96\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet 0.96\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet 0.96\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7577 bytes

Please advice me what to do and hope hear good news from you all soon.

best regards,

Sarip_dol

Recommended Answers

All 17 Replies

Hi, I'll be helping you to remove the malware in your computer.

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.

Cyber Punk,

Tahnk you for your help.

I already done the download and scan and found some of the trojan.

But i still cannot open the IE and Control Panel.

Please help me.

You need to post the log from Malwarebytes' Anti-Malware as per Cyber Punk's instructions.

Cyber Punk & Crunchie,

Below is the full scan of the malwarebytes

Please advice what is the next step.

Cheers,:?:

Sarip_Dol

Malwarebytes' Anti-Malware 1.24
Database version: 1052
Windows 5.1.2600 Service Pack 2

0:43:25 15/08/2008
mbam-log-8-15-2008 (00-43-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 118334
Time elapsed: 42 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{38bf827a-d7c5-46e1-a9a2-47b1b5bb5438} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\MY PROGRAMME\Multimedia KING\ALO Audio Center v1.5\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
D:\MY PROGRAMME\Multimedia KING\One Click CD Converter v1.2\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
D:\MY PROGRAMME\Multimedia KING\One Click CD DVD Writer v1.0\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
D:\MY PROGRAMME\Multimedia KING\InterVideo DVDCopy Platinum v3.0B016.58C00\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebtu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

@crunchie : Thanks a lot for looking over this while I was not here :)

@sarip_dol :

Please download Deckard's System Scanner and save it to your desktop.
Note: You must be logged onto an account with administrator privileges.

  • Save all your work and close all opened programs.
  • Double click on dss.exe to run it. Follow the prompts.
  • When the scan is complete, two log files will be produced. The first one, main.txt, will be maximized, the second one, extra.txt, will be minimized.
  • Please post the contents of the 2 log files in your next reply. 1 log per reply please.

Hi CP,

Thanks for the guide. I,m not able to download the Deckkard software and please refer below.

Deckard's System Scanner interacts with a specific rootkit (tdssserv) in a way that may make your system unusable (altering the svchost netsvcs registry entry). This download link has been removed until a fix is released by Deckard. For your own protection, please do not attempt to download this tool from other sites.

08/17/2008

Your Geeks to Go admin team

Hi, ok, it doesn't matter.
Please do an online scan with Kaspersky WebScanner

Click Scan Now and Accept the agreement. You will be promted to install an ActiveX component from Kaspersky, click Yes

The program will launch and then begin downloading the latest definition files:

  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
    • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.

Please post the contents of the log here.

Cyber Punk,

Sorry for the delay due to outstation. Below is the report of the Kaspersky Online Scanner.

Cheers,

sarip_dol

Wednesday, August 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 27, 2008 08:34:51
Records in database: 1150656
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
Scan statistics
Files scanned 82397
Threat name 3
Infected objects 6
Suspicious objects 0
Duration of the scan 01:19:10

File name Threat name Threats count
C:\Documents and Settings\Guest\Desktop\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Guest\Local Settings\Temp\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\91DGU0DM\mirc631[1].exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Guest\My Documents\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Downloads\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\WINDOWS\system32\vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 1
The selected area was scanned.

Cyber Punk,

What is the next step after this and for your info i'm still cannot open IE and System.

cheers,

sarip_dol

Crunchie,

Can u help me on this since no reply from CP.

Appreciate your help.

Thanks

Sarip_Dol

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Below is the ComboFix log.


ComboFix 08-09-01.03 - user 2008-09-03 8:17:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1029 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\KLRDFG39\bin.clearspring.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\KLRDFG39\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\DEXSWDF4\bin.clearspring.com
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\DEXSWDF4\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-08-30 15:26 . 2008-08-30 15:26 <DIR> d-------- C:\Program Files\ERUNT
2008-08-14 23:58 . 2008-08-15 00:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 23:58 . 2008-08-14 23:58 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-08-14 23:58 . 2008-08-14 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 23:58 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 23:58 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-13 23:00 . 2008-08-13 23:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 23:10 . 2008-08-11 23:10 1,160 --a------ C:\WINDOWS\mozver.dat
2008-08-05 12:32 . 2008-08-27 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-05 12:32 . 2008-08-05 12:32 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-08-05 12:32 . 2008-08-05 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-05 12:23 . 2008-08-05 12:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 09:41 . 2008-08-11 23:44 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-05 09:41 . 2008-08-05 11:01 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-05 09:40 . 2008-09-03 08:24 5,211,168 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-05 09:40 . 2008-09-03 08:22 72,908 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-05 09:40 . 2008-09-03 08:25 42,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-05 09:40 . 2008-09-03 08:22 6,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-05 00:37 . 2008-08-15 00:12 <DIR> d-------- C:\Program Files\Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-03 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-27 05:09 --------- d-----w C:\Documents and Settings\user\Application Data\Juniper Networks
2008-08-05 03:01 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-08-05 01:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-05 01:26 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-05 01:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 17:02 --------- d-----w C:\Program Files\BitComet 0.96
2008-08-01 07:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-07-23 13:29 --------- d-----w C:\Program Files\LimeWire
2008-07-15 14:46 --------- d-----w C:\Documents and Settings\user\Application Data\skypePM
2008-07-10 02:45 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-07-10 02:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 09:59 --------- d-----w C:\Documents and Settings\user\Application Data\Skype
2008-07-06 14:52 --------- d-----w C:\Program Files\UltraISO
2008-07-06 14:52 --------- d-----w C:\Program Files\Common Files\EZB Systems
2008-01-03 15:53 25,600 -c--a-w C:\Documents and Settings\user\usbsermptxp.sys
2008-01-03 15:53 22,768 -c--a-w C:\Documents and Settings\user\usbsermpt.sys
2007-12-19 14:05 64 --sha-r C:\WINDOWS\4C1599E826DB32A7.bin
.

------- Sigcheck -------

2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2005-01-04 08:00 359040 7b11118b078b88f87183fe69eda43137 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-11-23 13:15 359808 de891ad282e856acfd40990094a63b6f C:\WINDOWS\system32\dllcache\tcpip.sys
2007-11-23 13:15 359808 de891ad282e856acfd40990094a63b6f C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-19 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-27 1576176]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-01-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-09-07 479232]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2005-01-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-27 12:25 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10887:TCP"= 10887:TCP:BitComet 10887 TCP
"10887:UDP"= 10887:UDP:BitComet 10887 UDP
"26662:TCP"= 26662:TCP:BitComet 26662 TCP
"26662:UDP"= 26662:UDP:BitComet 26662 UDP
"27022:TCP"= 27022:TCP:BitComet 27022 TCP
"27022:UDP"= 27022:UDP:BitComet 27022 UDP
"23520:TCP"= 23520:TCP:BitComet 23520 TCP
"23520:UDP"= 23520:UDP:BitComet 23520 UDP

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2005-01-04 14336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 24592]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2006-06-08 155264]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-01-03 29744]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-06-20 18560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{197dfe55-3a38-11dd-90b3-00197e214690}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ae1a1c2-e9b1-11db-8da2-00197e214690}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f6d45f7-7944-11dc-8ebe-00197e214690}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - Flash.10.Setup.exe
\Shell\Open\command - Flash.10.Setup.exe
\Shell\Scan for Viruses\command - F:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d9e834-bdf8-11dc-8fab-00197e214690}]
\Shell\AutoPlay\command - wscript.exe \Haha.js
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
\Shell\Explore\command - wscript.exe \Haha.js -Clicked
\Shell\Open\command - wscript.exe \Haha.js
\Shell\Scan for Viruses\command - wscript.exe \Haha.js
\Shell\Scan with AVG\command - wscript.exe \Haha.js
\Shell\Scan with Norton AntiVirus\command - wscript.exe \Haha.js

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d9e835-bdf8-11dc-8fab-00197e214690}]
\Shell\AutoPlay\command - wscript.exe \Haha.js
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe \Haha.js
\Shell\Explore\command - wscript.exe \Haha.js -Clicked
\Shell\Open\command - wscript.exe \Haha.js
\Shell\Scan for Viruses\command - wscript.exe \Haha.js
\Shell\Scan with AVG\command - wscript.exe \Haha.js
\Shell\Scan with Norton AntiVirus\command - wscript.exe \Haha.js
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\9d7jt3lh.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 08:23:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-09-03 8:28:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-03 00:28:49

Pre-Run: 17,502,498,816 bytes free
Post-Run: 17,332,408,320 bytes free

184 --- E O F --- 2007-11-30 14:20:40

PPlease save that log to post in your next reply along with a fresh HJT log



Please use theInternet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.Once the files are downloaded click on Next
Click on Scan Settings and configure as follows: Scan using the following Anti-Virus database:Extended

Scan Options:Scan Archives
Scan Mail Bases


Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on:Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Crunchie,

Currently i'm using firefox because my IE having problem, by the way :

1) how to open firefox in IE tab ?
2) i cannot access any of the icons in the control menu, is this the result of the virus
attack recently ?

When i click control panel this message appear
"Error loading C:\PROGRA-1\MICROs-2\Office12\GrooveUtil.DLL
Access is denied"

Any comment ?:S

You need to download the add-on from firefox in order to do that.

Crunchie,

Below is the KScan report,

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 05, 2008 01:11:05
Records in database: 1192781
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
Scan statistics
Files scanned 67654
Threat name 4
Infected objects 6
Suspicious objects 0
Duration of the scan 00:28:41

File name Threat name Threats count
C:\Documents and Settings\Guest\Desktop\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Guest\My Documents\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Downloads\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\WINDOWS\system32\vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 1
D:\MY PROGRAMME\MY GAMES\Shooters Mania\Bonus Picks\Mystery Case Files - Prime Suspects.exe Infected: Trojan-Downloader.Win32.Agent.adla 1
D:\MY PROGRAMME\MY GAMES\Shooters Mania\Evil Invasion.exe Infected: Trojan-Downloader.Win32.Agent.adla 1
The selected area was scanned.

Delete the files found other than the risktool ones.
Sorry for the late reply. I have been ill.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.