Antichrist [day of judgment]

I have problem with this,I don't know how to remove it, if anybody have solution plz help me.Instead of welcome screen at windows start I have message [day of judgment] and my IExplorer startup with windows with green screen and message something about allah and antichrist.My friend have it 2 and he was detected like "Worm.Win32.AutoRun.cny" by Kaspersky Internet Secuity 7. Here is my log plz try to help me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:04, on 30.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer [Day of judgment]
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206873716390
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 5093 bytes

 

Hi meda
Welcome to Windowsbbs.
Antichrist [day of judgment]
I don't believe this is happening just yet.

So lets get rid of it.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Now do this.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer "(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Don't forget to re-enable it, when your computer is clean.


Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer [Day of judgment]
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now please do this.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the “main.txt” log only for now.

Thanks
Geri

 

Hi Geri, thank you for helping me.Here is ActiveScan report.



Incident Status Location

Virus:Trj/Bancos.RQ Not disinfected C:\Documents and Settings\sasha\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]
Virus:W32/Autorun.ME.worm Disinfected C:\QooBox\Quarantine\C\autorun.inf.vir
Virus:Trj/Bancos.RQ Not disinfected D:\BACKUPIGREFAVORITESIOSTALASRANJA\mojidokumenti\ComboFix.exe[327882R2FWJFW\pv.cfexe]
Spyware:Cookie/888 Not disinfected D:\MEDAAAAAAAAAAAAA\Documents and Settings\Sale\Cookies\sale@888[1].txt
Spyware:Cookie/Cgi-bin Not disinfected D:\MEDAAAAAAAAAAAAA\Documents and Settings\Sale\Cookies\sale@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected D:\MEDAAAAAAAAAAAAA\Documents and Settings\Sale\Cookies\sale@cgi-bin[4].txt
Spyware:Cookie/Cgi-bin Not disinfected D:\MEDAAAAAAAAAAAAA\Documents and Settings\Sale\Cookies\sale@cgi-bin[5].txt
Spyware:Cookie/fe.lea.lycos Not disinfected D:\MEDAAAAAAAAAAAAA\Documents and Settings\Sale\Cookies\sale@fe.lea.lycos[1].txt
Spyware:Cookie/Go Not disinfected D:\MEDAAAAAAAAAAAAA\Documents and Settings\Sale\Cookies\sale@go[2].txt
Adware:Adware/Ucmore Not disinfected D:\Novi programi\Internet\EDonkey 2000\edonkey0.52.rar[edonkey0.52.exe][UCmoreIEx.exe][IUCMORE.DLL]
Virus:Trj/HakTek.A Not disinfected D:\Novi programi\Internet\HakTek\haktek.rar[haktek.exe]
Virus:Trj/Downloader.MDW Disinfected D:\Novi programi\Internet\Sub7\sub7remover.zip[Sub7remover.exe]
Virus:Generic Trojan Not disinfected D:\Novi programi\Standard programs for Windows\DivX Players\Rad Light\RadLight303R52OK.rar[RadLight303R52OK.exe]
Virus:Generic Trojan Not disinfected D:\Novi programi\Standard programs for Windows\DivX Players\Rad Light.zip[Rad Light/RadLight303R52OK.rar][RadLight303R52OK.exe]
Hacktool:Hacktool/MailBomber.F Not disinfected D:\PROGRAMI\Recnici\Recnik\recnik20.EXE
Hacktool:Hacktool/MailBomber.F Not disinfected D:\PROGRAMI\Recnici\RecnikV2.zip[SETUP.EXE]
Adware:Adware/Cydoor Not disinfected D:\Sa neta\dietk30.exe
Adware:Adware/WinAD Not disinfected D:\Sa neta\incredimail_install.exe
Virus:Generic Trojan Disinfected D:\Sa neta\iqtests.zip[iq3.exe]
Adware:Adware/IST.ISTBar Not disinfected D:\Sistemm\REINSTAL\Downloads\PalmaryClock[1].v3.0.1.Italian.PalmOS.Cracked-CSCPDA.ZIP[cracker.exe]
Adware:Adware/Gator Not disinfected D:\System Volume Information\_restore{8FC6417A-A115-40CA-A00F-8DF3F55FBD89}\RP9\A0007823.exe
Virus:Generic Trojan Disinfected D:\System Volume Information\_restore{8FC6417A-A115-40CA-A00F-8DF3F55FBD89}\RP9\A0007831.exe[AutoPlay/Docs/twk-flashget171patch.exe]
Virus:Generic Trojan Disinfected D:\System Volume Information\_restore{AE6E20C6-B059-4ACF-A857-B829CEA3F48D}\RP7\A0002347.exe
Adware:Adware/Gator Not disinfected D:\temp\DivXPro502GAINBundle.exe
Virus:Trj/Bancos.RQ Not disinfected E:\BACKUP\Downloads\ComboFix.exe[327882R2FWJFW\pv.cfexe]
Virus:Trj/Downloader.MDW Not disinfected E:\BACKUP\Downloads\startupmechanic2.8.exe[¦$$\System32\wmidext.dll]
Adware:Adware/Cydoor Not disinfected E:\BACKUP\Downloads\startupmechanic2.8.exe[¦$$\System32\winsdrv.dll]

Geri I can't do this cos I don't have [R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer [Day of judgment]
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
] when I scan with HijackThis.

 

Here is "Main.txt" log from Deckard's System Scanner.

Deckard's System Scanner v20071014.68
Run by sasha on 2008-03-31 23:58:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
33: 2008-03-31 21:58:54 UTC - RP33 - Deckard's System Scanner Restore Point
32: 2008-03-30 22:16:34 UTC - RP32 - ComboFix created restore point
31: 2008-03-30 18:05:52 UTC - RP31 - Installed ACDSee 6.0 PowerPack Trial
30: 2008-03-30 18:01:45 UTC - RP30 - Installed Adobe Reader 7.0.9
29: 2008-03-30 17:41:41 UTC - RP29 - Installed Adobe Reader 7.0.7


-- First Restore Point --
1: 2008-03-30 10:16:24 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as sasha.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:59:19, on 31.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Documents and Settings\sasha\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\sasha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206873716390
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 5105 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_2000&DEV_2800&SUBSYS_28001801&REV_02\4&BC67B8D&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_2000&DEV_2800&SUBSYS_28001801&REV_02\4&BC67B8D&0&08F0
Service:


-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 00:24:15 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-31 00:13:35 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-31 00:13:35 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-31 00:13:35 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-31 00:13:35 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-30 20:15:06 0 d-------- C:\Documents and Settings\sasha\Application Data\ACD Systems
2008-03-30 20:14:11 0 d-------- C:\Program Files\uTorrent
2008-03-30 20:14:02 0 d-------- C:\Documents and Settings\sasha\Application Data\uTorrent
2008-03-30 20:12:10 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-03-30 20:12:10 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-03-30 20:12:10 544768 --a------ C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress>
2008-03-30 20:12:10 569344 --a------ C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress>
2008-03-30 20:12:10 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-30 20:12:06 0 d-------- C:\Program Files\Ahead
2008-03-30 20:06:00 0 d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-03-30 20:05:55 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-03-30 20:05:55 0 d-------- C:\Program Files\ACD Systems
2008-03-30 20:05:54 9856 --a------ C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
2008-03-30 20:05:00 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-30 20:02:00 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-30 20:01:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-30 20:00:32 0 d-------- C:\Program Files\Mv2Player
2008-03-30 19:48:44 0 d-------- C:\Documents and Settings\sasha\Application Data\AdobeUM
2008-03-30 19:46:37 0 d-------- C:\Documents and Settings\sasha\Application Data\WinRAR
2008-03-30 19:39:02 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2008-03-30 19:39:02 0 d-------- C:\Program Files\DAEMON Tools
2008-03-30 19:37:26 96256 --a------ C:\WINDOWS\system32\drivers\sptd3405.sys
2008-03-30 19:37:26 664064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-30 19:31:44 0 d-------- C:\Program Files\DivX Total Pack
2008-03-30 19:11:50 0 d-------- C:\Program Files\Trend Micro
2008-03-30 19:07:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-30 19:07:25 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-30 19:06:15 0 d-------- C:\Program Files\Microsoft.NET
2008-03-30 19:05:03 0 dr-h----- C:\MSOCache
2008-03-30 18:34:34 0 d-ahs---- C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
2008-03-30 18:30:09 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-30 18:00:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-30 17:44:22 0 d-------- C:\WINDOWS\Sun
2008-03-30 17:44:22 0 d-------- C:\Documents and Settings\sasha\Application Data\Sun
2008-03-30 17:43:35 0 d-------- C:\Program Files\Java
2008-03-30 17:41:00 0 d-------- C:\Program Files\Common Files\Java
2008-03-30 16:38:24 0 d-------- C:\WINDOWS\pss
2008-03-30 16:08:24 73216 --ahs---- C:\WINDOWS\vxds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-30 15:38:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-30 15:32:19 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-30 15:31:18 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-30 15:31:18 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-30 15:26:55 0 d-------- C:\Documents and Settings\sasha\Application Data\Macromedia
2008-03-30 15:16:15 0 d-------- C:\Documents and Settings\sasha\Application Data\Adobe
2008-03-30 14:58:10 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-03-30 14:58:09 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-03-30 14:58:09 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-03-30 14:58:05 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-03-30 14:58:05 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-03-30 14:11:23 0 d-------- C:\Documents and Settings\sasha\Application Data\ATI
2008-03-30 14:11:23 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-03-30 14:09:03 0 d-------- C:\Program Files\ATI Technologies
2008-03-30 14:08:11 0 d-------- C:\ATI
2008-03-30 14:06:48 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-03-30 14:05:58 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-30 14:05:55 0 dr------- C:\Program Files
2008-03-30 14:05:55 0 d-------- C:\Program Files\Common Files
2008-03-30 14:05:55 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-30 14:05:34 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-30 14:05:34 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-30 14:05:34 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-30 14:05:34 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-30 14:05:34 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-30 14:05:34 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-30 14:05:34 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-30 14:05:34 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-30 14:05:34 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-30 14:05:34 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-30 14:05:34 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-30 14:05:34 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-30 14:05:34 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-30 14:05:34 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-30 14:05:34 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-30 14:05:34 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-30 14:05:21 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-30 14:05:21 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-30 14:05:16 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-30 14:05:16 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-30 14:05:16 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-30 14:05:16 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-30 14:04:57 0 d-------- C:\Documents and Settings
2008-03-30 14:00:18 0 d-------- C:\WINDOWS
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\WinSxS
2008-03-30 14:00:18 0 dr------- C:\WINDOWS\Web
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\twain_32
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\wins
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\wbem
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\usmt
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\spool
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\Setup
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\ras
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\oobe
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\npp
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\mui
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\IME
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\ias
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\export
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\drivers
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-30 14:00:18 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\config
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\3076
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\2052
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\1054
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\1042
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\1041
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\1037
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\1033
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\1031
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\1028
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system32\1025
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\system
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\security
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\Resources
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\repair
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\mui
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\msapps
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\msagent
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\Media
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\java
2008-03-30 14:00:18 0 d--h----- C:\WINDOWS\inf
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\ime
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\Help
2008-03-30 14:00:18 0 dr--s---- C:\WINDOWS\Fonts
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\Driver Cache
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\Debug
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\Cursors
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\Config
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\AppPatch
2008-03-30 14:00:18 0 d-------- C:\WINDOWS\addins
2008-03-30 13:43:13 0 d-------- C:\WINDOWS\network diagnostic
2008-03-30 13:31:33 0 d-------- C:\Documents and Settings\sasha\Application Data\AVG7
2008-03-30 13:31:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-30 13:31:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-30 13:31:15 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-30 12:49:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-30 12:47:23 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-30 12:47:22 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-30 12:42:55 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-30 12:41:38 0 d--hs---- C:\Documents and Settings\sasha\UserData
2008-03-30 12:35:28 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-03-30 12:35:04 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-30 12:35:01 0 d-------- C:\WINDOWS\Prefetch
2008-03-30 12:31:06 0 d-------- C:\WINDOWS\peernet
2008-03-30 12:31:05 0 d-------- C:\WINDOWS\provisioning
2008-03-30 12:30:10 0 d-------- C:\WINDOWS\ServicePackFiles
2008-03-30 12:27:12 0 d-------- C:\WINDOWS\EHome
2008-03-30 12:22:31 0 d-------- C:\WINDOWS\system32\Lang
2008-03-30 12:21:23 0 d-------- C:\Program Files\BroadCom GB LAN
2008-03-30 12:21:22 327168 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-03-30 12:21:15 40960 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-03-30 12:20:54 0 d-------- C:\WINDOWS\system32\RTCOM
2008-03-30 12:20:35 0 d-------- C:\Program Files\Realtek
2008-03-30 12:20:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-30 12:20:33 487424 -r------- C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-03-30 12:20:27 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-30 12:18:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-30 12:18:20 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-30 12:18:19 0 d-------- C:\Program Files\Intel
2008-03-30 12:16:19 0 d--hs---- C:\WINDOWS\Installer
2008-03-30 12:16:15 0 d-------- C:\Documents and Settings\sasha\Application Data\Identities
2008-03-30 12:16:06 0 d--h----- C:\Documents and Settings\sasha\Templates
2008-03-30 12:16:06 0 dr------- C:\Documents and Settings\sasha\Start Menu
2008-03-30 12:16:06 0 dr-h----- C:\Documents and Settings\sasha\SendTo
2008-03-30 12:16:06 0 dr-h----- C:\Documents and Settings\sasha\Recent
2008-03-30 12:16:06 0 d--h----- C:\Documents and Settings\sasha\PrintHood
2008-03-30 12:16:06 1835008 --ah----- C:\Documents and Settings\sasha\NTUSER.DAT
2008-03-30 12:16:06 0 d--h----- C:\Documents and Settings\sasha\NetHood
2008-03-30 12:16:06 0 dr------- C:\Documents and Settings\sasha\My Documents
2008-03-30 12:16:06 0 d--h----- C:\Documents and Settings\sasha\Local Settings
2008-03-30 12:16:06 0 dr------- C:\Documents and Settings\sasha\Favorites
2008-03-30 12:16:06 0 d-------- C:\Documents and Settings\sasha\Desktop
2008-03-30 12:16:06 0 d--hs---- C:\Documents and Settings\sasha\Cookies
2008-03-30 12:16:06 0 dr-h----- C:\Documents and Settings\sasha\Application Data
2008-03-30 12:15:44 0 d--hs---- C:\System Volume Information
2008-03-30 12:15:43 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-30 12:15:43 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-30 12:15:43 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-30 12:15:43 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-30 12:15:43 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-30 12:15:42 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-30 12:15:42 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-30 12:15:42 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-03-30 12:15:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-30 12:15:42 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-30 12:13:17 0 d-------- C:\WINDOWS\system32\xircom
2008-03-30 12:13:17 0 d-------- C:\Program Files\microsoft frontpage
2008-03-30 12:13:08 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-30 12:13:07 0 -rahs---- C:\MSDOS.SYS
2008-03-30 12:13:07 0 -rahs---- C:\IO.SYS
2008-03-30 12:13:07 0 --a------ C:\CONFIG.SYS
2008-03-30 12:13:07 0 --a------ C:\AUTOEXEC.BAT
2008-03-30 12:12:31 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-30 12:12:24 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-30 12:12:24 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-30 12:12:01 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-30 12:11:11 0 d---s---- C:\WINDOWS\Tasks
2008-03-30 12:11:07 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-30 12:11:02 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-30 12:11:02 0 d-------- C:\WINDOWS\srchasst
2008-03-30 12:11:00 0 d-------- C:\Program Files\Movie Maker
2008-03-30 12:10:55 0 d-------- C:\WINDOWS\system32\Restore
2008-03-30 12:10:55 0 d-------- C:\WINDOWS\PCHealth
2008-03-30 12:10:22 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-30 12:10:20 0 d-------- C:\WINDOWS\Registration
2008-03-30 12:10:18 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-30 12:10:18 0 d-------- C:\Program Files\Online Services
2008-03-30 12:10:14 0 d-------- C:\Program Files\Messenger
2008-03-30 12:10:08 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-30 12:09:23 0 d-------- C:\Program Files\Windows NT
2008-03-30 12:09:20 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-30 12:09:20 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-03-30 14:05:34 62 --ahs---- C:\Documents and Settings\sasha\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL "= "RTHDCPL.EXE" [22.09.2005 07:36 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [30.03.2008 13:31]
"StartCCC "= "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [21.01.2008 12:17]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23.9.2005 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=1 (0x1)
"HideStartupScripts "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=1 (0x1)
"HideStartupScripts "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "




-- End of Deckard's System Scanner: finished at 2008-04-01 00:00:28 ------------

 

Hi meda

These are old versions of combofix and need to be removed.

Please do this.
Click Start> Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.


Now go here and remove combofix,exe
E:\BACKUP\Downloads\ComboFix.exe


I see you have P2P software ([color= "Red"] Limewire, BitTorrent uTorrent EDonkey 2000 etc… [/color]) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Virus and Spyware removal.


Please do the following in the order given.

Now download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log. Let me know what issues still exist.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Now this please.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the MBAM log and the Combofix log.

Thanks
Geri

 

Solution for this Virus Found

I've found the solution for this virus and I totally removed it. Here are the instructions:

First do as Geri said, scan with HijackThis and check the boxes for the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer [Day of judgment]
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Then close all open windows except HijackThis and click Fix checked

Then go to Start>>Run
Type regedit (If it doesn't open the Registry Editor, try preforming a full system scan. Recommended anti-virus: Kaspersky, Norton)
When you open the editor, navigate to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
On the right side delete the "LogonPrompt " and "Welcome " values and change the "LegalNoticeText " and "LegalNoticeCaption " values to blank (Double-click and delete the text. This all will remove the welcome screen.)
Then go to HKEY_CURRENT_USER\Software\Microsoft\Command Processor and delete this AutoRun = dir /s *.exe && TITLE [Day of judgment] && COLOR AC && CLS && ECHO [Antichrist]
Then go to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\ and delete the mountpoints2 folder.
Then go to this url and download the file: http://dougknox.com/xp/fileassoc/xp_drive_association_fix.zip
When you finish downloading, unpack it and install the xp_drive_association_fix.reg

Then go back to Registry Editor. Click Edit and then Find...
First type [Antichrist] and click Find Next (Be sure that the keys, values, data boxes are checked)
When it finds, double click on it and type to who the program is registered to. There are two things you will have to change, RegCompany and RegOwner. Be sure to change it properly or just type PHX. Whenever you finish changing one of them, go to Edit/Find Next, just to be sure that everything is back to normal.
Then type [Day of Judgment] and do the same things from the previous step if it finds anything.
Then close the Registry Editor.

You will need to manually delete some files from your computer, if your Anti-virus didn't done it already. (Kaspersky and Norton Anti-Virus detects these threats, as for the others, I'm not sure. It is highly recommended that you remove them with your anti-virus but if you can't, then do it manually.)
Delete these files.
C:\WINDOWS\system32\sys.exe (Type the right letter for your Hard Drive.)
C:\WINDOWS\shell.exe
C:\WINDOWS\vxds.exe
C:\WINDOWS\Help\hlps.exe
C:\WINDOWS\media\wma.exe
C:\WINDOWS\System32\ocmorapw.dll
C:\WINDOWS\media\windows xp ringin.wav
C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe
If you used an anti-virus, check manually if all of these files were deleted.

Then go to start>>Run
Type msconfig.
When it starts, go to the StartUp tab.
Uncheck the boxes for the following programs:
ocmorapw
vxds
hlps
wma
blank
Click OK. If it asks to restart the computer, don't restart it.

For the next things, you will need to enable the Folder Options so you can change to see hidden files and folder and system files. To do so, you will need to go to start>>Run
Type regedit again.
When you opened the Registry Editor, go here: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and change the value for NoFolderOptions to 0.
Then restart your computer.

Now, go to C:\WINDOWS\system32 folder. Click on Tools and then on Folder Options. Allow hidden files and folders to be seen and uncheck the "Hide protected operating system files" box (Don't forget to check the box when your computer is cleaned from this virus). Then find this web page in the folder: blank.htm. Open it to be sure that it's the virus. (It should be the annoying web page that automatically opens when your windows starts.)
Delete it if it is the virus.
Then find this, OEMINFO.INI.
Delete it.
Find this image, OEMLOGO.BMP
Delete it.
Go to Control Panel, then Internet Options.
Change the homepage setting from "C:\WINDOWS\system32\blank.htm" to any address you would like to be your homepage.

It also changes many more things in the registry, be sure to check and fix everything listed below.
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "vxds" should be removed.
-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "hlps" should be removed.
-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "blank" should be without text.
-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" should be 0.
-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDriveAutoRun" should be 0.
-HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "Load" should be without text.
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" should be explorer.exe
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" should be %sysdir%\userinit.exe
-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" should be without text.
-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" should be without text.
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "SFCDisable" should be 0.
-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" should be 1.
-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" should be 1.

Note: It makes copies on removable drives. Fully scan every drive that comes in contact with your computer before opening it.

And that's it, reboot your computer and check if everything is back to normal. Don't forget to check your computer for spyware and malware. I hope these instructions helped you fix your problem.

 

Hi NewMember11111
Thanks for the detailed removal instructions.

Some people are not quite up to digging into the registry and deleting Keys, Sub Keys or changing values.
This can be risky even to a seasoned user.

I'm glad this cleaned your system, but I'm sure you know that each system can be different and some of those reg entries may not be present on their system.

Thanks
Geri
----------------------------------------------------------------------
Hi meda

I do recommend that you follow my instructions.

Geri