1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows XP Trojan.Nebuler

Discussion in 'Virus & Other Malware Removal' started by Orbitcube, Jan 25, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Orbitcube

    Orbitcube Thread Starter

    Joined:
    Jan 25, 2007
    Messages:
    47
    Norton reports that the file C:/WINDOWS/system32/winepi32.dll is a Trojan.Nebuler, which I've had for a while. I've finally decided to do something about it. Of course, I need help.

    Here's a HJT log, if needed:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:16:29 a.m., on 26/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Universal Shield 4.0\US30Service.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Callum Hogsden\My Documents\mIRC\mirc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\CALLUM~1\LOCALS~1\Temp\Rar$EX07.140\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serebii.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.gamespot.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {052b12f7-86fa-4921-8482-26c42316b522} - (no file)
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
    O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.com/teleport/vacation/MaxisVacationTeleX.cab
    O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2956233f19bedcabb105/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101926367000
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155395537203
    O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unleashed/LOT/MaxisUnleashedLotTeleX.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/npx.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/KeyCrypt/npkcx.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winepi32 - C:\WINDOWS\SYSTEM32\winepi32.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.0\US30Service.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    first HJT must be in a permanent not temp folder

    so

    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
    Click on the entry in start menu or on the desktop to run HijackThis

    then

    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
     
  3. Orbitcube

    Orbitcube Thread Starter

    Joined:
    Jan 25, 2007
    Messages:
    47
    "REMOVED FOR PRIVACY" - 07-01-26 2:04:34 Service Pack 2
    ComboFix 07-01-25 - Running from: "C:\Documents and Settings\REMOVED\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\INSTALL.LOG
    C:\WINDOWS\system32\drivers\npf.sys
    C:\WINDOWS\system32\components


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-26 to 2007-01-26 ))))))))))))))))))))))))))))))))))


    2007-01-25 23:11 <DIR> d-------- C:\WINDOWS\LastGood
    2007-01-23 21:01 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-01-22 14:33 162,816 --a------ C:\WINDOWS\system32\drivers\RT25USBAP.SYS
    2007-01-22 12:21 2,829 --a------ C:\WINDOWS\War3Unin.pif
    2007-01-22 12:21 126,976 --a------ C:\WINDOWS\War3Unin.exe
    2007-01-22 12:16 <DIR> d-------- C:\Warcraft III
    2007-01-08 09:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SecTaskMan
    2007-01-02 00:14 <DIR> d-------- C:\Games
    2006-12-30 18:08 <DIR> d-------- C:\Program Files\Audacity
    2006-12-27 20:39 <DIR> d-------- C:\DOCUME~1\CALLUM~1\ST
    2006-12-27 10:59 <DIR> d-------- C:\UnrealTournament
    2006-12-26 14:51 <DIR> d-------- C:\DOCUME~1\CALLUM~1\AbiSuite
    2006-12-26 14:50 <DIR> d-------- C:\Program Files\AbiSuite2
    2006-12-26 14:38 <DIR> d-------- C:\Program Files\Infra Recorder
    2006-12-26 10:08 <DIR> d-------- C:\DOCUME~1\CALLUM~1\Application Data\SmartFTP
    2006-12-26 10:07 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-26 01:57 -------- d-------- C:\Program Files\mozilla firefox
    2007-01-25 23:11 -------- d-------- C:\Program Files\red kawa
    2007-01-25 14:57 -------- d-------- C:\Program Files\Common Files\symantec shared
    2007-01-25 02:16 -------- d---s---- C:\Program Files\xfire
    2007-01-25 02:04 -------- d--h----- C:\Program Files\installshield installation information
    2007-01-25 00:48 -------- d-------- C:\Program Files\macromedia
    2007-01-23 21:05 -------- d-------- C:\Program Files\java
    2007-01-23 19:17 -------- d-------- C:\DOCUME~1\CALLUM~1\Application Data\xfire
    2007-01-07 21:04 -------- d-------- C:\DOCUME~1\CALLUM~1\Application Data\adobe
    2007-01-02 00:43 -------- d-------- C:\Program Files\winamp
    2006-12-27 11:22 -------- d-------- C:\Program Files\Common Files\real
    2006-12-27 00:07 -------- d-------- C:\Program Files\toribash-2.2
    2006-12-21 20:59 -------- d-------- C:\Program Files\msn messenger
    2006-12-21 18:45 -------- d-------- C:\DOCUME~1\CALLUM~1\Application Data\installshield
    2006-12-20 21:05 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
    2006-12-17 15:50 263168 --a------ C:\WINDOWS\system32\ati2dvag.dll
    2006-12-17 15:50 1918464 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
    2006-12-17 15:44 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
    2006-12-17 15:44 26112 --a------ C:\WINDOWS\system32\ati2mdxx.exe
    2006-12-17 15:44 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
    2006-12-17 15:44 110592 --a------ C:\WINDOWS\system32\ati2evxx.dll
    2006-12-17 15:44 102400 --a------ C:\WINDOWS\system32\oemdspif.dll
    2006-12-17 15:42 53248 --a------ C:\WINDOWS\system32\atiddc.dll
    2006-12-17 15:42 434176 --a------ C:\WINDOWS\system32\ati2evxx.exe
    2006-12-17 15:41 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
    2006-12-17 15:35 2676672 --a------ C:\WINDOWS\system32\ati3duag.dll
    2006-12-17 15:30 1289472 --a------ C:\WINDOWS\system32\ativvaxx.dll
    2006-12-17 15:23 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
    2006-12-17 15:21 5304320 --a------ C:\WINDOWS\system32\atioglxx.dll
    2006-12-17 15:17 241664 --a------ C:\WINDOWS\system32\atikvmag.dll
    2006-12-17 15:16 303104 --a------ C:\WINDOWS\system32\atidemgr.dll
    2006-12-17 15:16 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
    2006-12-17 15:10 315392 --a------ C:\WINDOWS\system32\ati2cqag.dll
    2006-12-15 23:26 -------- d-------- C:\Program Files\quicktime
    2006-12-07 18:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
    2006-11-26 01:38 639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2006-11-08 18:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
    2006-10-30 15:56 21840 --a----t- C:\WINDOWS\system32\sintfnt.dll
    2006-10-30 15:56 17212 --a----t- C:\WINDOWS\system32\sintf32.dll
    2006-10-30 15:56 12067 --a----t- C:\WINDOWS\system32\sintf16.dll
    2006-10-29 21:12 17370 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
    2006-10-27 02:08 40960 --a------ C:\WINDOWS\system32\frapsvid.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
    "SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
    "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
    "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\D:]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\D:\StuntRally.exe]
    @="D:\\StuntRally.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "ishost.exe"="ishost.exe"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winepi32

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    Usnsvc REG_MULTI_SZ usnsvc\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Ad-Aware SE Personal.job
    C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - REMOVED FOR PRIVACY.job
    C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
    C:\WINDOWS\tasks\Symantec Drmc.job

    Completion time: 07-01-26 2:08:16

    ---

    HJT if needed:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:10:06 a.m., on 26/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Universal Shield 4.0\US30Service.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Callum Hogsden\My Documents\mIRC\mirc.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Callum Hogsden\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serebii.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {052b12f7-86fa-4921-8482-26c42316b522} - (no file)
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
    O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.com/teleport/vacation/MaxisVacationTeleX.cab
    O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2956233f19bedcabb105/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101926367000
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155395537203
    O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unleashed/LOT/MaxisUnleashedLotTeleX.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/npx.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/KeyCrypt/npkcx.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winepi32 - C:\WINDOWS\SYSTEM32\winepi32.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.0\US30Service.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    first:
    download the attached rem_mc.zip & save to desktop
    unzip it & double click it the reg file & say yes to prompts to merge with registry

    then


    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger¬ís actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    when it reboots

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
    O20 - Winlogon Notify: winepi32 - C:\WINDOWS\SYSTEM32\winepi32.dll

    now Start killbox,

    Then on killbox top bar press tools/delete temp files, in the pop up box towards the middle is a drop down box containing a list of all user accounts on this drop down user account box, select your account, select ALL options it will allow you to, then then press delete selected temp files , then repeat for every user account listed in that drop down box

    then

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
    • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
    • Install it. Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:
      • Sweep Memory Objects
      • Sweep Windows Registry
      • Sweep Cookies
      • Sweep All User Accounts
      • Enable Direct Disk Sweeping
      • Sweep Compressed Files
      • Sweep for Rootkits
      • Please UNCHECK Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     

    Attached Files:

  5. Orbitcube

    Orbitcube Thread Starter

    Joined:
    Jan 25, 2007
    Messages:
    47
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\agkghsvb

    *******************

    Script file located at: \??\C:\dqgaivxd.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\SYSTEM32\winepi32.dll deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.

    ---

    9:47 a.m.: Removal process completed. Elapsed time 00:01:41
    9:47 a.m.: A reboot was required but declined.
    9:47 a.m.: Quarantining All Traces: safety bar
    9:47 a.m.: C:\WINDOWS\system32\ssdpsrv.dll is in use. It will be removed on reboot.
    9:47 a.m.: C:\WINDOWS\system32\ssdpsrv.dll is in use. It will be removed on reboot.
    9:47 a.m.: trojan-busky is in use. It will be removed on reboot.
    9:47 a.m.: Quarantining All Traces: trojan-busky
    9:47 a.m.: c:\program files\universal shield 4.0\templink is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\order now!.url is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\uscontext.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\us30service.exe is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\uspro.exe is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\unishield.chm is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang4.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang6.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang10.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang9.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\uninstall.exe is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang3.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang11.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang5.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\install.log is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\install.sss is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\templink is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\readme.txt is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang2.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang12.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang8.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang7.dll is in use. It will be removed on reboot.
    9:47 a.m.: c:\program files\universal shield 4.0\lang1.dll is in use. It will be removed on reboot.
    9:47 a.m.: potentially rootkit-masked files is in use. It will be removed on reboot.
    9:46 a.m.: Quarantining All Traces: potentially rootkit-masked files
    9:46 a.m.: Quarantining All Traces: trojan agent winlogonhook
    9:45 a.m.: Removal process initiated
    9:42 a.m.: Traces Found: 36
    9:42 a.m.: Custom Sweep has completed. Elapsed time 00:36:53
    9:42 a.m.: C:\WINDOWS\system32\ssdpsrv.dll (ID = 409087)
    9:42 a.m.: Detected running threat: C:\WINDOWS\system32\ssdpsrv.dll (ID = 409087)
    9:42 a.m.: File Sweep Complete, Elapsed Time: 00:30:06
    9:42 a.m.: c:\program files\universal shield 4.0\templink (ID = 0)
    9:42 a.m.: c:\documents and settings\all users\start menu\programs\universal shield 4.0\uninstall universal shield.lnk (ID = 0)
    9:42 a.m.: c:\documents and settings\all users\start menu\programs\universal shield 4.0\read me.lnk (ID = 0)
    9:42 a.m.: c:\documents and settings\all users\start menu\programs\universal shield 4.0\order universal shield now!.lnk (ID = 0)
    9:42 a.m.: c:\documents and settings\all users\start menu\programs\universal shield 4.0\help topics.lnk (ID = 0)
    9:42 a.m.: c:\documents and settings\all users\start menu\programs\universal shield 4.0\universal shield 4.0.lnk (ID = 0)
    9:36 a.m.: C:\avenger\backup.zip (ID = 377617)
    9:34 a.m.: Warning: Stream read error
    9:33 a.m.: c:\program files\universal shield 4.0\order now!.url (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\uscontext.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\us30service.exe (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\uspro.exe (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\unishield.chm (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang4.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang6.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang10.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang9.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\uninstall.exe (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang3.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang11.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang5.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\install.log (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\install.sss (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\templink (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\readme.txt (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang2.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang12.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang8.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang7.dll (ID = 0)
    9:33 a.m.: c:\program files\universal shield 4.0\lang1.dll (ID = 0)
    9:33 a.m.: Found System Monitor: potentially rootkit-masked files
    9:33 a.m.: Warning: Failed to access drive D:
    9:31 a.m.: Warning: Failed to open file "c:\documents and settings\callum hogsden\local settings\application data\microsoft\messenger\[email protected]\sharingmetadata\pending.dat". The operation completed successfully
    9:30 a.m.: Warning: Failed to open file "c:\documents and settings\callum hogsden\application data\mozilla\firefox\profiles\kgzb9sht.default\parent.lock". The operation completed successfully
    9:12 a.m.: Starting File Sweep
    9:12 a.m.: Warning: Failed to access drive A:
    9:12 a.m.: Cookie Sweep Complete, Elapsed Time: 00:00:00
    9:12 a.m.: Starting Cookie Sweep
    9:12 a.m.: Registry Sweep Complete, Elapsed Time:00:01:22
    9:12 a.m.: HKU\S-1-5-21-67468712-3338921727-3291069196-1011\software\adwaredisablekey3\ (ID = 1666205)
    9:12 a.m.: Found Trojan Horse: trojan-busky
    9:12 a.m.: HKLM\software\microsoft\mssmgr\ (ID = 1776755)
    9:12 a.m.: HKLM\software\classes\mezziacodec.chl\ (ID = 1588798)
    9:12 a.m.: HKCR\mezziacodec.chl\ (ID = 1588797)
    9:12 a.m.: Found Trojan Horse: trojan agent winlogonhook
    9:12 a.m.: HKLM\software\microsoft\internet explorer\toolbar\ || {052b12f7-86fa-4921-8482-26c42316b522} (ID = 1512083)
    9:12 a.m.: Found Adware: safety bar
    9:11 a.m.: Starting Registry Sweep
    9:11 a.m.: Memory Sweep Complete, Elapsed Time: 00:05:03
    9:06 a.m.: Starting Memory Sweep
    9:06 a.m.: Start Custom Sweep
    9:06 a.m.: Sweep initiated using definitions version 816
    9:06 a.m.: Spy Sweeper 5.2.3.2138 started
    9:06 a.m.: | Start of Session, Friday, 26 January 2007 |
    ********
    9:06 a.m.: | End of Session, Friday, 26 January 2007 |
    Keylogger: Off
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites: Off
    Hosts File Shield: On
    Internet Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    9:05 a.m.: Shield States
    9:05 a.m.: Spyware Definitions: 816
    9:05 a.m.: Spy Sweeper 5.2.3.2138 started
    Keylogger: Off
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites: Off
    Hosts File Shield: On
    Internet Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    9:01 a.m.: Shield States
    9:01 a.m.: Spyware Definitions: 816
    9:01 a.m.: Warning: Virus definitions files are invalid, please update your virus definitions. 220
    9:00 a.m.: Spy Sweeper 5.2.3.2138 started
    9:00 a.m.: Spy Sweeper 5.2.3.2138 started
    9:00 a.m.: | Start of Session, Friday, 26 January 2007 |
    ********

    ---

    Logfile of HijackThis v1.99.1
    Scan saved at 10:09:29 a.m., on 26/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Callum Hogsden\My Documents\mIRC\mirc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Callum Hogsden\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serebii.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
    O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.com/teleport/vacation/MaxisVacationTeleX.cab
    O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2956233f19bedcabb105/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101926367000
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155395537203
    O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unleashed/LOT/MaxisUnleashedLotTeleX.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/npx.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtect/Netizen/KeyCrypt/npkcx.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    ---
    Yes, I have rebooted from the SpySweeper "sweep" and did the HJT log after reboot. And jeez, my computer is worse than I originally thought!
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    I'm not sure why spysweeper detected all these
    c:\program files\universal shield 4.0 as I don't see that as a risk

    or this
    C:\WINDOWS\system32\ssdpsrv.dll which seems to be a genuine microsoft file


    If universal shield is the paid for full version & not just a trial then
    rightclick the spysweeper icon in systray, select quarantine, select those items & select restore

    let us know how you get on

    there is one more problem I can see

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger&#8217;s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.
     
  7. Orbitcube

    Orbitcube Thread Starter

    Joined:
    Jan 25, 2007
    Messages:
    47
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\retnkxnj

    *******************

    Script file located at: \??\C:\Documents and Settings\fjafutpu.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:



    Registry key \Registry\Machine\System\CurrentControlSet\Services\BOONTY not found!
    Unload of driver BOONTY failed!

    Could not process line:
    BOONTY
    Status: 0xc0000034

    Folder C:\Program Files\Common Files\BOONTY Shared deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Sorry try avenger again with this as the script file

    drivers to unload:
    BOONTY games
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538194

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice