Trojan.Win32.VB.ayo

Posted 7/22/2008 6:29 PM
#63859
User avatar

neoragex Member

Date Joined Nov 2016
Total Posts: 6
any idea how to remove this? im using XP with original KAV 2009, but seem like every time i scan, i need to delete this virus. its keep coming.

virus : Trojan.Win32.VB.ayo

thanks
Posted 7/23/2008 4:38 AM
#63866
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello


This is what Trojan.Win32.VB.ayo are



https://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.VB.ayo&threatid=144801







I´ll therefore suggest you click here - ->> [color=#0000ff>https://www.bullguard.com/forum/14/Before-posting-a-log_43561.html[/b]




After You have run the scan tools -



Reboot normally



Post Hijackthis log along with SuperAntiSpyware log, C: combofix TXT in this topic



Please copy and paste your log. DO NOT add it as an attachment

Kindly do not annotate or format the log with color or font changes.



NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

[/color]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/24/2008 4:30 AM
#63897
User avatar

neoragex Member

Date Joined Nov 2016
Total Posts: 6
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:24 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer\Krait\razerhid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Razer\Krait\razerofa.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Krait] C:\Program Files\Razer\Krait\razerhid.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - https://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - https://lads.myspace.com/upload/MySpaceUploader1006.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5590252-9EC1-4D87-99AD-865B8A98014F}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 8259 bytes



SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 07/24/2008 at 12:07 PM

Application Version : 4.15.1000

Core Rules Database Version : 3513
Trace Rules Database Version: 1504

Scan type : Complete Scan
Total Scan Time : 00:20:05

Memory items scanned : 416
Memory threats detected : 0
Registry items scanned : 6214
Registry threats detected : 30
File items scanned : 19529
File threats detected : 2

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet002\Services\oreans32
HKLM\System\ControlSet002\Enum\Root\LEGACY_oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@adinterax[2].txt
Posted 7/24/2008 5:07 AM
#63898
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Please post - C: combofix TXT log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/24/2008 5:22 AM
#63899
User avatar

neoragex Member

Date Joined Nov 2016
Total Posts: 6
ComboFix 08-07-13.11 - user 2008-07-24 13:16:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.603 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: /snapshot

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-24 12:34 . 2008-07-24 12:34 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 12:34 . 2008-07-24 12:34 d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-24 12:34 . 2008-07-24 12:34 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 12:34 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-24 12:34 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 12:26 . 2008-07-24 12:27 d-------- C:\HJT
2008-07-24 11:36 . 2008-07-24 11:36 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-24 11:35 . 2008-07-24 11:35 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-24 11:35 . 2008-07-24 11:35 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 11:35 . 2008-07-24 11:35 d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-07-23 00:58 . 2008-07-23 00:58 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-13 04:28 . 2008-07-13 04:28 d-------- C:\Program Files\Razer
2008-07-13 04:28 . 2005-12-08 13:43 65,536 --a------ C:\WINDOWS\system32\krait.cpl
2008-07-02 03:29 . 2008-07-16 17:04 14 --a------ C:\WINDOWS\popcinfo.dat
2008-07-02 03:28 . 2008-07-02 03:28 d-------- C:\Program Files\PopCap Games
2008-07-02 02:55 . 2008-07-02 02:56 d-------- C:\Program Files\Burger Shop v1.0
2008-07-01 18:10 . 2008-07-02 02:07 d-------- C:\Program Files\GameHouse
2008-07-01 18:10 . 2008-07-01 18:10 d-------- C:\Documents and Settings\user\Application Data\PlayFirst
2008-07-01 18:10 . 2008-07-01 18:10 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-29 00:14 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-06-29 00:14 . 2004-08-03 23:10 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2008-06-26 03:01 . 2008-06-26 03:01 d-------- C:\WINDOWS\ie8updates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 04:20 581,664 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-24 04:20 4,116 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-24 04:20 23,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-24 04:20 2,720,288 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-24 04:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-24 03:44 --------- d-----w C:\Program Files\Wise Registry Cleaner 3
2008-07-24 03:32 --------- d-----w C:\Program Files\BitComet
2008-07-24 02:06 96,559 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-07-24 02:06 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-07-22 16:38 --------- d-----w C:\Program Files\Bluefox Studio
2008-07-19 19:17 --------- d-----w C:\Program Files\Rohan Online
2008-07-12 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-06-29 10:21 --------- d-----w C:\Program Files\CABAL Online (SG MY)
2008-06-27 12:34 975,779,843 ----a-w C:\Program Files\SilkroadOnline_GlobalOfficial_v1_150.exe
2008-06-21 21:45 --------- d-----w C:\Program Files\Warcraft III
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 16:37 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-15 15:14 --------- d-----w C:\Program Files\Neffy
2008-06-14 12:35 --------- d-----w C:\Program Files\Winamp
2008-06-13 18:39 --------- d-----w C:\Program Files\Xilisoft
2008-06-13 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-13 13:49 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-06-13 13:44 --------- d-----w C:\Program Files\Google
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 06:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-06 12:35 --------- d-----w C:\Program Files\Wise Disk Cleaner
2008-06-06 11:01 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-06 10:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-31 18:27 --------- d-----w C:\Documents and Settings\user\Application Data\DMCache
2008-05-27 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-05-26 16:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-26 13:16 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-05-26 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-08 04:50 830,464 ----a-w C:\WINDOWS\system32\wininet.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 10:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-01 08:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 16:32 222504]
"Krait"="C:\Program Files\Razer\Krait\razerhid.exe" [2007-02-16 17:44 126976]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Files Updater

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 14:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-09-01 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Krait]
--a------ 2007-02-16 17:44 126976 C:\Program Files\Razer\Krait\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-08-24 06:15 8478720 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-08-24 06:15 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-11-06 10:58 159744 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-08-24 06:15 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\CABAL Online (SG MY)\\Launcher\\update\\ESTdnheadless.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=
"C:\\Program Files\\Rohan Online\\rohanclient.exe"=
"E:\\Application\\SRO_NEW_Full-Client_Downloader.exe"=
"C:\\Documents and Settings\\user\\Desktop\\RohanBotEn1.0.8b\\x1337x\\Rohanbot.exe"=
"C:\\Documents and Settings\\user\\Desktop\\RohanBotEn1.0.8b\\Miki\\Rohanbot.exe"=
"E:\\Silkroad\\Bot\\srobot.exe"=
"E:\\Silkroad\\SilkErrSender.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26102:TCP"= 26102:TCP:BitComet 26102 TCP
"26102:UDP"= 26102:UDP:BitComet 26102 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 krait03;Razer krait USB Filter Driver;C:\WINDOWS\system32\Drivers\krait.sys [2005-12-07 17:27]
S3 NTProcDrv;Process creation detector for NT.;E:\Silkroad\Bot\NtProcDrv.sys [2005-02-24 06:08]
S3 XDva132;XDva132;C:\WINDOWS\system32\XDva132.sys []
S3 XDva165;XDva165;C:\WINDOWS\system32\XDva165.sys []
S3 XDva167;XDva167;C:\WINDOWS\system32\XDva167.sys []
S3 XDva170;XDva170;C:\WINDOWS\system32\XDva170.sys []
S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a88ec03f-cd63-11dc-904c-b892dd44d70c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3208366-e380-11dc-8cfe-001d72472371}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6a1c35a-ce23-11dc-904f-001d7243034e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-07-24 13:18:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
Completion time: 2008-07-24 13:19:58
ComboFix-quarantined-files.txt 2008-07-24 05:19:50
ComboFix2.txt 2008-07-24 04:23:43

Pre-Run: 47,379,374,080 bytes free
Post-Run: 47,366,709,248 bytes free

179 --- E O F --- 2008-07-11 14:04:41
Posted 7/24/2008 6:15 AM
#63903
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Open notepad and copy/paste the text in the quote box below into it:

Quote:

-----------------------------------------------------

KILLALL::



Snapshot::



File::

C:\WINDOWS\System32\CSCDLL.dll





Driver::

XDva132
XDva165
XDva167
XDva170
XDva177






----------------------------------------------



Save this as CFScript.txt



https://www.fromsej.saknet.dk/billeder/cfscript.gif



At this point, You MUST EXIT ALL BROWSERS NOW before continuing!

Referring to the picture above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.





Post new hijackthis log along with fresh combofix log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/24/2008 6:50 AM
#63908
User avatar

neoragex Member

Date Joined Nov 2016
Total Posts: 6
ComboFix 08-07-13.11 - user 2008-07-24 14:42:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.649 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

FILE ::
C:\WINDOWS\System32\CSCDLL.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\CSCDLL.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-24 12:34 . 2008-07-24 12:34 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 12:34 . 2008-07-24 12:34 d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-24 12:34 . 2008-07-24 12:34 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 12:34 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-24 12:34 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 12:26 . 2008-07-24 13:26 d-------- C:\HJT
2008-07-24 11:36 . 2008-07-24 11:36 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-24 11:35 . 2008-07-24 11:35 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-24 11:35 . 2008-07-24 11:35 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 11:35 . 2008-07-24 11:35 d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-07-23 00:58 . 2008-07-23 00:58 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-13 04:28 . 2008-07-13 04:28 d-------- C:\Program Files\Razer
2008-07-13 04:28 . 2005-12-08 13:43 65,536 --a------ C:\WINDOWS\system32\krait.cpl
2008-07-02 03:29 . 2008-07-16 17:04 14 --a------ C:\WINDOWS\popcinfo.dat
2008-07-02 03:28 . 2008-07-02 03:28 d-------- C:\Program Files\PopCap Games
2008-07-02 02:55 . 2008-07-02 02:56 d-------- C:\Program Files\Burger Shop v1.0
2008-07-01 18:10 . 2008-07-02 02:07 d-------- C:\Program Files\GameHouse
2008-07-01 18:10 . 2008-07-01 18:10 d-------- C:\Documents and Settings\user\Application Data\PlayFirst
2008-07-01 18:10 . 2008-07-01 18:10 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-29 00:14 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-06-29 00:14 . 2004-08-03 23:10 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2008-06-26 03:01 . 2008-06-26 03:01 d-------- C:\WINDOWS\ie8updates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 06:44 589,856 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-24 06:44 4,144 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-24 06:44 23,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-24 06:44 2,720,288 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-24 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-24 03:44 --------- d-----w C:\Program Files\Wise Registry Cleaner 3
2008-07-24 03:32 --------- d-----w C:\Program Files\BitComet
2008-07-24 02:06 96,559 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-07-24 02:06 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-07-22 16:38 --------- d-----w C:\Program Files\Bluefox Studio
2008-07-19 19:17 --------- d-----w C:\Program Files\Rohan Online
2008-07-12 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-06-29 10:21 --------- d-----w C:\Program Files\CABAL Online (SG MY)
2008-06-27 12:34 975,779,843 ----a-w C:\Program Files\SilkroadOnline_GlobalOfficial_v1_150.exe
2008-06-21 21:45 --------- d-----w C:\Program Files\Warcraft III
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 16:37 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-15 15:14 --------- d-----w C:\Program Files\Neffy
2008-06-14 12:35 --------- d-----w C:\Program Files\Winamp
2008-06-13 18:39 --------- d-----w C:\Program Files\Xilisoft
2008-06-13 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-13 13:49 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-06-13 13:44 --------- d-----w C:\Program Files\Google
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 06:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-06 12:35 --------- d-----w C:\Program Files\Wise Disk Cleaner
2008-06-06 11:01 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-06 10:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-31 18:27 --------- d-----w C:\Documents and Settings\user\Application Data\DMCache
2008-05-27 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-05-26 16:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-26 13:16 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-05-26 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-08 04:50 830,464 ----a-w C:\WINDOWS\system32\wininet.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 10:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-01 08:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 16:32 222504]
"Krait"="C:\Program Files\Razer\Krait\razerhid.exe" [2007-02-16 17:44 126976]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Files Updater

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 14:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-09-01 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Krait]
--a------ 2007-02-16 17:44 126976 C:\Program Files\Razer\Krait\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-08-24 06:15 8478720 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-08-24 06:15 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-11-06 10:58 159744 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-08-24 06:15 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\CABAL Online (SG MY)\\Launcher\\update\\ESTdnheadless.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=
"C:\\Program Files\\Rohan Online\\rohanclient.exe"=
"E:\\Application\\SRO_NEW_Full-Client_Downloader.exe"=
"C:\\Documents and Settings\\user\\Desktop\\RohanBotEn1.0.8b\\x1337x\\Rohanbot.exe"=
"C:\\Documents and Settings\\user\\Desktop\\RohanBotEn1.0.8b\\Miki\\Rohanbot.exe"=
"E:\\Silkroad\\Bot\\srobot.exe"=
"E:\\Silkroad\\SilkErrSender.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26102:TCP"= 26102:TCP:BitComet 26102 TCP
"26102:UDP"= 26102:UDP:BitComet 26102 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 krait03;Razer krait USB Filter Driver;C:\WINDOWS\system32\Drivers\krait.sys [2005-12-07 17:27]
S3 NTProcDrv;Process creation detector for NT.;E:\Silkroad\Bot\NtProcDrv.sys [2005-02-24 06:08]
S3 XDva132;XDva132;C:\WINDOWS\system32\XDva132.sys []
S3 XDva165;XDva165;C:\WINDOWS\system32\XDva165.sys []
S3 XDva167;XDva167;C:\WINDOWS\system32\XDva167.sys []
S3 XDva170;XDva170;C:\WINDOWS\system32\XDva170.sys []
S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a88ec03f-cd63-11dc-904c-b892dd44d70c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3208366-e380-11dc-8cfe-001d72472371}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - G:\Flash.10.Setup.exe
\Shell\Open\command - G:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6a1c35a-ce23-11dc-904f-001d7243034e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6e346ec-5947-11dd-8e37-001e377228e3}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - F:\Flash.10.Setup.exe
\Shell\Open\command - F:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - F:\Scanner.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-07-24 14:46:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer\Krait\razerofa.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-24 14:48:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 06:48:47
ComboFix2.txt 2008-07-24 05:19:58
ComboFix3.txt 2008-07-24 04:23:43

Pre-Run: 47,330,660,352 bytes free
Post-Run: 47,318,220,800 bytes free

204 --- E O F --- 2008-07-11 14:04:41
Posted 7/24/2008 7:33 AM
#63911
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Please download:

https://swandog46.geekstogo.com/avenger2/avenger.zip





Right click on the Avenger.zip folder and select "Extract to Avenger...



You will now have an Avenger folder on your desktop.



Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing Ctrl+C

Quote:



[table class=MsoNormalTable style="BACKGROUND: silver; MARGIN: auto auto auto 15pt; WIDTH: 100%; mso-cellspacing: 0cm; mso-padding-alt: 4.5pt 4.5pt 4.5pt 4.5pt" cellSpacing=0 cellPadding=0 width="100%" border=0]
[tr style="mso-yfti-irow: 0; mso-yfti-firstrow: yes; mso-yfti-lastrow: yes"][td style="BORDER-RIGHT: #ffffff; PADDING-RIGHT: 4.5pt; BORDER-TOP: #ffffff; PADDING-LEFT: 4.5pt; PADDING-BOTTOM: 4.5pt; BORDER-LEFT: #ffffff; PADDING-TOP: 4.5pt; BORDER-BOTTOM: #ffffff; BACKGROUND-COLOR: transparent"][2]Drivers to unload:
XDva132
XDva165
XDva167
XDva170
XDva177[/2]


[2] [/2]


[/td][/tr][/table]Make sure the Scan for rootkits is checked ...

& the Automatically disable any rootkits found is NOT checked ...

Click on Execute

Answer "Yes" twice when prompted.


After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt


Please copy/paste the content of C:\avenger.txt into your reply, and tell how things are running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/29/2008 12:47 PM
#64109
User avatar

neoragex Member

Date Joined Nov 2016
Total Posts: 6
Logfile of The Avenger Version 2.0, (c) by Swandog46
https://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "XDva132" deleted successfully.
Driver "XDva165" deleted successfully.
Driver "XDva167" deleted successfully.
Driver "XDva170" deleted successfully.
Driver "XDva177" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


firstly, sry for late reply.
i made a full scan before i posted this, KAV still found :
c:\system volume information\restore{F563DEB7-4C56-4CF7-81FB-E69EB8C6D788}\RP111\A0029498.exe/PE_Patch.UPX/UPX <-- as Trojan.Win32.VB.ayo
e:\system volume information\_restore{f563deb7-4c56-4cf7-81fb-e69eb8c6d788}\rp110\a0029245.dll <--- Packed.Win32.CryptExe
e:\system volume information\_restore{f563deb7-4c56-4cf7-81fb-e69eb8c6d788}\rp111\a0029500.dll <--- Packed.Win32.CryptExe


after made all ur steps above, my IE back to normal (asked it on other thread). Thanks.
On your next reply, please assist me to clean my thumbdrive. using my friend laptop at work since i need to 'clean' mine, his KAV found Trojan.Win32.VB.ayo in my thumbdrive but not detected by my KAV before. (hes using a cracked but im using original that what make me feels worse)

p/s:
1. can u teach me/us in this forum how to avoid this trojan?
2. i always scan first any usb include mine before i run it, if my antivirus found virus/trojan in it, is my laptop infected even though im not running it?
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Sunday, August 9, 2020, 10:43 PM (GMT +2)
There are a total of 61,821 posts in 13,645 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,612 registered members. Please welcome our newest member, alisa.paraschiv.
There are currently no users on-line.
×

Just a minute

Privacy has never been so important.

Nearly 50% of online users are now using a VPN to protect their privacy.

Find out why

…and if it grabs you bag yourself a VPN bargain.

We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.