15 replies to this topic

[lawrentioo]

hey! i get this message in my IE7 window.. i've installed hijackthis and i get the following log : Logfile of HijackThis v1.99.1 Scan saved at 11:45:55 PM, on 1/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\adi\Desktop\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: SXG Advisor - {EFA7CBC8-4CCD-4ACB-969D-007123ADF44A} - C:\WINDOWS\dntpkwodws.dll O3 - Toolbar: ekxdvft - {E5CBFDFA-6B88-4C04-AC4C-C6875D808503} - C:\WINDOWS\ekxdvft.dll (file missing) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O17 - HKLM\System\CCS\Services\Tcpip\..\{22781AE0-F508-410A-BC06-057E1F32EDE0}: NameServer = 62.231.76.49 81.18.85.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F2C091-C153-4EAA-86F6-2C3EF4307C23}: NameServer = 217.156.110.1,86.104.16.10,62.231.76.49 O17 - HKLM\System\CS1\Services\Tcpip\..\{22781AE0-F508-410A-BC06-057E1F32EDE0}: NameServer = 62.231.76.49 81.18.85.7 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing) WHAT SHOULD I DO??? can u help me please!! i'm getting real sad, don't want to reinstall my operating system 10x

[Trevuren]

Hello lawrentioo and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[lawrentioo]

SDFix: Version 1.131

Run by adi on Mon 01/28/2008 at 07:57 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\adi\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 20:10:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:0fde7af3
"s2"=dword:3964411b
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:c1,5d,6b,54,d9,e3,34,5e,8b,d0,d5,80,0d,d6,de,2e,05,7d,f3,aa,15,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:b3,eb,64,1b,4f,a9,26,90,d2,8e,dc,f2,be,00,a6,8c,21,1a,d6,4f,39,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,fc,3a,6c,dd,8d,dd,8a,ee,5c,12,99,d6,e0,eb,a9,b7,12,..
"khjeh"=hex:83,51,03,53,36,8e,8a,c8,7e,a7,2c,d3,05,29,c3,30,1d,b2,1f,e8,66,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7e,7b,83,dd,4c,7d,06,3b,6a,01,e9,da,c0,ea,dd,84,62,b5,9a,fe,92,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:79,0a,c4,03,7c,7c,95,d1,28,5b,b8,b1,d2,5d,2d,a2,a4,a6,29,d0,8a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:c1,5d,6b,54,d9,e3,34,5e,8b,d0,d5,80,0d,d6,de,2e,05,7d,f3,aa,15,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:b3,eb,64,1b,4f,a9,26,90,d2,8e,dc,f2,be,00,a6,8c,21,1a,d6,4f,39,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,fc,3a,6c,dd,8d,dd,8a,ee,5c,12,99,d6,e0,eb,a9,b7,12,..
"khjeh"=hex:83,51,03,53,36,8e,8a,c8,7e,a7,2c,d3,05,29,c3,30,1d,b2,1f,e8,66,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7e,7b,83,dd,4c,7d,06,3b,6a,01,e9,da,c0,ea,dd,84,62,b5,9a,fe,92,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:79,0a,c4,03,7c,7c,95,d1,28,5b,b8,b1,d2,5d,2d,a2,a4,a6,29,d0,8a,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"F:\\gp4\\gp4.exe"="F:\\gp4\\gp4.exe:*:Enabled:gp4"
"C:\\Program Files\\Common Files\\System\\msnmssgr.exe"="C:\\Program Files\\Common Files\\System\\msnmssgr.exe:*:Enabled:WindowsSystem32"
"E:\\jocuri\\ms flight sim\\fs9.exe"="E:\\jocuri\\ms flight sim\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"E:\\jocuri\\wr2\\MP Lounge 2.exe"="E:\\jocuri\\wr2\\MP Lounge 2.exe:*:Enabled:MP Lounge 2"
"E:\\jocuri\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="E:\\jocuri\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"E:\\jocuri\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="E:\\jocuri\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"I:\\JOCURI\\TENIS\\Virtua Tennis\\VIRTUA_TENNIS_PC.exe"="I:\\JOCURI\\TENIS\\Virtua Tennis\\VIRTUA_TENNIS_PC.exe:*:Enabled:VIRTUA_TENNIS_PC"
"E:\\jocuri\\TEST DRIVE UNLIMITED\\TestDriveUnlimited.exe"="E:\\jocuri\\TEST DRIVE UNLIMITED\\TestDriveUnlimited.exe:*:Enabled:Test Drive Unlimited"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"E:\\jocuri\\TEST DRIVE UNLIMITED\\TDU\\TestDriveUnlimited.exe"="E:\\jocuri\\TEST DRIVE UNLIMITED\\TDU\\TestDriveUnlimited.exe:*:Enabled:Test Drive Unlimited"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"E:\\strong dc\\StrongDC.exe"="E:\\strong dc\\StrongDC.exe:*:Enabled:StrongDC++"
"E:\\jocuri\\cod4\\iw3mp.exe"="E:\\jocuri\\cod4\\iw3mp.exe:*:Enabled:iw3mp"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\adi\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 5 Jun 2006 2,045 ...H. --- "C:\WINDOWS\system32\whlb32f.dll"
Mon 1 Oct 2007 1,332 ...HR --- "C:\Documents and Settings\adi\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

[lawrentioo]

Who are you Mr. Trevuren ?? I see there are a lot of persons helped by you on this site.. Thank you very much!

[Trevuren]

with a new HijackThis log

[lawrentioo]

soory Logfile of HijackThis v1.99.1 Scan saved at 9:09:48 PM, on 1/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\adi\Desktop\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: SXG Advisor - {EFA7CBC8-4CCD-4ACB-969D-007123ADF44A} - C:\WINDOWS\dntpkwodws.dll O3 - Toolbar: ekxdvft - {E5CBFDFA-6B88-4C04-AC4C-C6875D808503} - C:\WINDOWS\ekxdvft.dll (file missing) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O17 - HKLM\System\CCS\Services\Tcpip\..\{22781AE0-F508-410A-BC06-057E1F32EDE0}: NameServer = 62.231.76.49 81.18.85.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F2C091-C153-4EAA-86F6-2C3EF4307C23}: NameServer = 217.156.110.1,86.104.16.10,62.231.76.49 O17 - HKLM\System\CS1\Services\Tcpip\..\{22781AE0-F508-410A-BC06-057E1F32EDE0}: NameServer = 62.231.76.49 81.18.85.7 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

[Trevuren]

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again afterwards before connecting to the net

--------------------------------------------------------------------
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
• Please do not re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

[lawrentioo]

ComboFix 08-01-29.3 - adi 2008-01-29 18:37:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.673 [GMT 2:00]
Running from: C:\Documents and Settings\adi\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\dat.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\drivers\sfsync03.sys

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://softworldnetwork2.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\LEGACY_SFSYNC03
-------\sfsync02
-------\sfsync03


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 19:55 . 2008-01-28 19:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 15:37 . 2008-01-27 15:37 32 --ahs---- C:\WINDOWS\system32\{18700EA8-4EAF-4615-BF24-3B51716C0871}.dat
2008-01-27 15:37 . 2008-01-27 15:37 32 --ahs---- C:\WINDOWS\{A5B3A81C-CFF8-4BE8-9B8E-27A8897CDC57}.dat
2008-01-27 15:36 . 2008-01-27 15:36 32 --ahs---- C:\WINDOWS\system32\{E35D6A4A-BA19-4108-B9E3-2E23A4B79518}.dat
2008-01-27 15:36 . 2008-01-27 15:36 32 --ahs---- C:\WINDOWS\system32\{B663EF85-56A7-4AD0-9783-D39FBA5D09FE}.dat
2008-01-27 15:36 . 2008-01-27 15:36 32 --ahs---- C:\WINDOWS\{F155ED6C-6991-413A-B305-148FD6043070}.dat
2008-01-27 15:36 . 2008-01-27 15:36 32 --ahs---- C:\WINDOWS\{80F8EBEA-F0A7-4F39-A4A3-1821FFBDBA66}.dat
2008-01-27 15:35 . 2002-08-14 06:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-01-27 15:35 . 2002-08-14 06:03 31,744 --a------ C:\WINDOWS\system32\S32STAT.DLL
2008-01-27 15:34 . 2002-08-13 17:00 182,784 --a------ C:\WINDOWS\system32\ddao35.dll
2008-01-27 15:34 . 2002-08-13 17:00 94,208 --a------ C:\WINDOWS\system32\qdcsinet.dll
2008-01-27 15:34 . 2002-08-13 17:00 86,016 --a------ C:\WINDOWS\system32\apitrap.dll
2008-01-27 15:34 . 2002-08-13 17:00 13,792 --a------ C:\WINDOWS\system32\drivers\qdfsdrv.sys
2008-01-27 15:34 . 2008-01-27 15:34 32 --ahs---- C:\WINDOWS\system32\{C3DE8ACF-A1AE-4B31-8565-2B806900B346}.dat
2008-01-27 15:34 . 2008-01-27 15:34 32 --ahs---- C:\WINDOWS\system32\{74BABDCA-85E9-4C78-A2F2-ADB22D373097}.dat
2008-01-27 15:34 . 2008-01-27 15:34 32 --ahs---- C:\WINDOWS\system32\{720A8A70-0B56-491E-8636-A3542A448473}.dat
2008-01-27 15:34 . 2008-01-27 15:34 32 --ahs---- C:\WINDOWS\{71F36533-4475-4263-AC5B-727B0D335AE8}.dat
2008-01-27 15:34 . 2008-01-27 15:34 32 --ahs---- C:\WINDOWS\{3F813B05-3B33-4999-8794-7848AA68DF1E}.dat
2008-01-27 15:34 . 2008-01-27 15:34 32 --ahs---- C:\WINDOWS\{3BF86D0E-BE2D-4A08-8941-FC3F575BA5DD}.dat
2008-01-27 15:33 . 2002-08-28 20:41 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-01-27 15:33 . 2002-08-28 20:41 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-27 15:33 . 2002-08-28 20:41 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-27 15:33 . 2008-01-27 15:33 32 --ahs---- C:\WINDOWS\system32\{7DC37EDA-42C1-477F-A557-1C90F9E69A84}.dat
2008-01-27 15:33 . 2008-01-27 15:33 32 --ahs---- C:\WINDOWS\{715C8DDF-CE71-4950-AA61-F10BBA8874DE}.dat
2008-01-27 15:33 . 2008-01-27 15:33 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-01-27 14:46 . 2008-01-27 15:36 <DIR> d-------- C:\Program Files\Symantec
2008-01-27 14:46 . 2008-01-27 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-27 14:46 . 2008-01-27 14:46 <DIR> d-------- C:\Documents and Settings\adi\Application Data\Symantec
2008-01-27 12:18 . 2008-01-27 08:39 303,104 --a------ C:\WINDOWS\dntpkwodws.dll
2008-01-27 12:18 . 2008-01-27 08:39 81,920 --a------ C:\WINDOWS\ffvrdgt.exe
2008-01-22 19:59 . 2008-01-29 18:29 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-22 00:14 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-20 17:46 . 2008-01-20 17:46 <DIR> d-------- C:\Program Files\AVI MPEG ASF WMV Splitter
2008-01-20 12:33 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-01-20 12:28 . 2008-01-20 12:28 <DIR> d-------- C:\Drivers
2008-01-20 12:28 . 2001-11-05 09:23 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2008-01-20 12:28 . 2002-10-15 22:41 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2008-01-20 12:28 . 2001-07-03 20:33 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2008-01-20 12:28 . 2001-11-05 09:23 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2008-01-20 12:28 . 2001-11-05 09:23 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2008-01-20 12:28 . 2001-07-03 20:39 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-01-20 12:17 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-20 12:17 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-20 12:16 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-20 12:16 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-16 23:33 . 2008-01-16 23:33 <DIR> d-------- C:\Program Files\Real
2008-01-16 23:33 . 2008-01-16 23:33 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-16 23:33 . 2008-01-16 23:33 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-14 20:40 . 2008-01-14 20:40 267 --a------ C:\WINDOWS\game.ini
2008-01-13 17:23 . 2008-01-13 17:23 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-30 01:21 . 2007-12-30 01:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 16:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-27 14:02 --------- d-----w C:\Program Files\Opera
2008-01-27 13:38 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-27 12:43 --------- d--h--r C:\Documents and Settings\adi\Application Data\yahoo!
2008-01-20 10:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 19:53 --------- d-----w C:\Program Files\Winamp
2007-12-23 10:28 --------- d-----w C:\Documents and Settings\adi\Application Data\Ahead
2007-12-05 22:16 --------- d-----w C:\Program Files\PowerQuest
2007-02-18 20:15 24,192 ----a-w C:\Documents and Settings\adi\usbsermptxp.sys
2007-02-18 20:15 22,768 ----a-w C:\Documents and Settings\adi\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFA7CBC8-4CCD-4ACB-969D-007123ADF44A}]
2008-01-27 08:39 303104 --a------ C:\WINDOWS\dntpkwodws.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E5CBFDFA-6B88-4C04-AC4C-C6875D808503}
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

[HKEY_CLASSES_ROOT\clsid\{e5cbfdfa-6b88-4c04-ac4c-c6875d808503}]
[HKEY_CLASSES_ROOT\ekxdvft.1]
[HKEY_CLASSES_ROOT\TypeLib\{0F9D5910-A1D2-489F-BE36-8C3260B8AE76}]
[HKEY_CLASSES_ROOT\ekxdvft]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Resume copy"="copyfstq.exe" [2007-01-28 19:07 73728 C:\WINDOWS\copyfstq.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-16 23:33 185896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23 34504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-08-19 22:22 50880 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-08-19 22:23 34504 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]
--a------ 2006-09-13 08:58 2154496 C:\Program Files\VDOTool\TBPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-11-08 13:27 222208 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-28 14:45 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-11-02 16:59 218240 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsSystem32]
C:\Program Files\Common Files\System\msnmssgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 12:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0b419b6-775d-11dc-939c-000461525409}]
\Shell\AutoRun\command - M:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - M:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4edbefe-aef9-11db-9238-000461525409}]
\Shell\AutoRun\command - J:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 13:40:11 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-01-27 13:37:02 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-29 16:46:57 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 18:42:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-01-29 18:47:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 16:47:13
.
2008-01-21 22:17:28 --- E O F ---




++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++






Logfile of HijackThis v1.99.1
Scan saved at 6:51:05 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\adi\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: SXG Advisor - {EFA7CBC8-4CCD-4ACB-969D-007123ADF44A} - C:\WINDOWS\dntpkwodws.dll
O3 - Toolbar: ekxdvft - {E5CBFDFA-6B88-4C04-AC4C-C6875D808503} - C:\WINDOWS\ekxdvft.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{22781AE0-F508-410A-BC06-057E1F32EDE0}: NameServer = 62.231.76.49 81.18.85.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F2C091-C153-4EAA-86F6-2C3EF4307C23}: NameServer = 217.156.110.1,86.104.16.10,62.231.76.49
O17 - HKLM\System\CS1\Services\Tcpip\..\{22781AE0-F508-410A-BC06-057E1F32EDE0}: NameServer = 62.231.76.49 81.18.85.7
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

[Trevuren]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\dntpkwodws.dll
C:\WINDOWS\ffvrdgt.exe
C:\WINDOWS\system32\{18700EA8-4EAF-4615-BF24-3B51716C0871}.dat
C:\WINDOWS\{A5B3A81C-CFF8-4BE8-9B8E-27A8897CDC57}.dat
C:\WINDOWS\system32\{E35D6A4A-BA19-4108-B9E3-2E23A4B79518}.dat
C:\WINDOWS\system32\{B663EF85-56A7-4AD0-9783-D39FBA5D09FE}.dat
C:\WINDOWS\{F155ED6C-6991-413A-B305-148FD6043070}.dat
C:\WINDOWS\{80F8EBEA-F0A7-4F39-A4A3-1821FFBDBA66}.dat
C:\WINDOWS\system32\{C3DE8ACF-A1AE-4B31-8565-2B806900B346}.dat
C:\WINDOWS\system32\{74BABDCA-85E9-4C78-A2F2-ADB22D373097}.dat
C:\WINDOWS\system32\{720A8A70-0B56-491E-8636-A3542A448473}.dat
C:\WINDOWS\{71F36533-4475-4263-AC5B-727B0D335AE8}.dat
C:\WINDOWS\{3F813B05-3B33-4999-8794-7848AA68DF1E}.dat
C:\WINDOWS\{3BF86D0E-BE2D-4A08-8941-FC3F575BA5DD}.dat
C:\WINDOWS\system32\{7DC37EDA-42C1-477F-A557-1C90F9E69A84}.dat
C:\WINDOWS\{715C8DDF-CE71-4950-AA61-F10BBA8874DE}.dat
C:\WINDOWS\dntpkwodws.dll

Folder::
M:\setup
M:\Directx
J:\Autorun.exe



Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFA7CBC8-4CCD-4ACB-969D-007123ADF44A}]
[-HKEY_CLASSES_ROOT\clsid\{e5cbfdfa-6b88-4c04-ac4c-c6875d808503}]
[-HKEY_CLASSES_ROOT\ekxdvft.1]
[-HKEY_CLASSES_ROOT\TypeLib\{0F9D5910-A1D2-489F-BE36-8C3260B8AE76}]
[-HKEY_CLASSES_ROOT\ekxdvft]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E5CBFDFA-6B88-4C04-AC4C-C6875D808503}"=-
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsSystem32]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0b419b6-775d-11dc-939c-000461525409}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4edbefe-aef9-11db-9238-000461525409}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:

• ComboFix.txt
• Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[lawrentioo]

ComboFix 08-01-29.3 - adi 2008-01-29 22:39:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.668 [GMT 2:00]
Running from: C:\Documents and Settings\adi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\adi\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\{3BF86D0E-BE2D-4A08-8941-FC3F575BA5DD}.dat
C:\WINDOWS\{3F813B05-3B33-4999-8794-7848AA68DF1E}.dat
C:\WINDOWS\{715C8DDF-CE71-4950-AA61-F10BBA8874DE}.dat
C:\WINDOWS\{71F36533-4475-4263-AC5B-727B0D335AE8}.dat
C:\WINDOWS\{80F8EBEA-F0A7-4F39-A4A3-1821FFBDBA66}.dat
C:\WINDOWS\{A5B3A81C-CFF8-4BE8-9B8E-27A8897CDC57}.dat
C:\WINDOWS\{F155ED6C-6991-413A-B305-148FD6043070}.dat
C:\WINDOWS\dntpkwodws.dll
C:\WINDOWS\ffvrdgt.exe
C:\WINDOWS\system32\{18700EA8-4EAF-4615-BF24-3B51716C0871}.dat
C:\WINDOWS\system32\{720A8A70-0B56-491E-8636-A3542A448473}.dat
C:\WINDOWS\system32\{74BABDCA-85E9-4C78-A2F2-ADB22D373097}.dat
C:\WINDOWS\system32\{7DC37EDA-42C1-477F-A557-1C90F9E69A84}.dat
C:\WINDOWS\system32\{B663EF85-56A7-4AD0-9783-D39FBA5D09FE}.dat
C:\WINDOWS\system32\{C3DE8ACF-A1AE-4B31-8565-2B806900B346}.dat
C:\WINDOWS\system32\{E35D6A4A-BA19-4108-B9E3-2E23A4B79518}.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\{3BF86D0E-BE2D-4A08-8941-FC3F575BA5DD}.dat
C:\WINDOWS\{3F813B05-3B33-4999-8794-7848AA68DF1E}.dat
C:\WINDOWS\{715C8DDF-CE71-4950-AA61-F10BBA8874DE}.dat
C:\WINDOWS\{71F36533-4475-4263-AC5B-727B0D335AE8}.dat
C:\WINDOWS\{80F8EBEA-F0A7-4F39-A4A3-1821FFBDBA66}.dat
C:\WINDOWS\{A5B3A81C-CFF8-4BE8-9B8E-27A8897CDC57}.dat
C:\WINDOWS\{F155ED6C-6991-413A-B305-148FD6043070}.dat
C:\WINDOWS\dat.txt
C:\WINDOWS\dntpkwodws.dll
C:\WINDOWS\ffvrdgt.exe
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\{18700EA8-4EAF-4615-BF24-3B51716C0871}.dat
C:\WINDOWS\system32\{720A8A70-0B56-491E-8636-A3542A448473}.dat
C:\WINDOWS\system32\{74BABDCA-85E9-4C78-A2F2-ADB22D373097}.dat
C:\WINDOWS\system32\{7DC37EDA-42C1-477F-A557-1C90F9E69A84}.dat
C:\WINDOWS\system32\{B663EF85-56A7-4AD0-9783-D39FBA5D09FE}.dat
C:\WINDOWS\system32\{C3DE8ACF-A1AE-4B31-8565-2B806900B346}.dat
C:\WINDOWS\system32\{E35D6A4A-BA19-4108-B9E3-2E23A4B79518}.dat
J:\Autorun.exe\

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 19:55 . 2008-01-28 19:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 15:35 . 2002-08-14 06:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-01-27 15:35 . 2002-08-14 06:03 31,744 --a------ C:\WINDOWS\system32\S32STAT.DLL
2008-01-27 15:34 . 2002-08-13 17:00 182,784 --a------ C:\WINDOWS\system32\ddao35.dll
2008-01-27 15:34 . 2002-08-13 17:00 94,208 --a------ C:\WINDOWS\system32\qdcsinet.dll
2008-01-27 15:34 . 2002-08-13 17:00 86,016 --a------ C:\WINDOWS\system32\apitrap.dll
2008-01-27 15:34 . 2002-08-13 17:00 13,792 --a------ C:\WINDOWS\system32\drivers\qdfsdrv.sys
2008-01-27 15:33 . 2002-08-28 20:41 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-01-27 15:33 . 2002-08-28 20:41 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-27 15:33 . 2002-08-28 20:41 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-27 15:33 . 2008-01-27 15:33 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-01-27 14:46 . 2008-01-27 15:36 <DIR> d-------- C:\Program Files\Symantec
2008-01-27 14:46 . 2008-01-27 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-27 14:46 . 2008-01-27 14:46 <DIR> d-------- C:\Documents and Settings\adi\Application Data\Symantec
2008-01-22 19:59 . 2008-01-29 18:29 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-22 00:14 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-20 17:46 . 2008-01-20 17:46 <DIR> d-------- C:\Program Files\AVI MPEG ASF WMV Splitter
2008-01-20 12:33 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-01-20 12:28 . 2008-01-20 12:28 <DIR> d-------- C:\Drivers
2008-01-20 12:28 . 2001-11-05 09:23 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2008-01-20 12:28 . 2002-10-15 22:41 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2008-01-20 12:28 . 2001-07-03 20:33 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2008-01-20 12:28 . 2001-11-05 09:23 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2008-01-20 12:28 . 2001-11-05 09:23 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2008-01-20 12:28 . 2001-07-03 20:39 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-01-20 12:17 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-20 12:17 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-20 12:16 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-20 12:16 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-16 23:33 . 2008-01-16 23:33 <DIR> d-------- C:\Program Files\Real
2008-01-16 23:33 . 2008-01-16 23:33 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-16 23:33 . 2008-01-16 23:33 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-14 20:40 . 2008-01-14 20:40 267 --a------ C:\WINDOWS\game.ini
2008-01-13 17:23 . 2008-01-13 17:23 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-30 01:21 . 2007-12-30 01:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 16:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-27 14:02 --------- d-----w C:\Program Files\Opera
2008-01-27 13:38 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-27 12:43 --------- d--h--r C:\Documents and Settings\adi\Application Data\yahoo!
2008-01-20 10:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 19:53 --------- d-----w C:\Program Files\Winamp
2007-12-23 10:28 --------- d-----w C:\Documents and Settings\adi\Application Data\Ahead
2007-12-05 22:16 --------- d-----w C:\Program Files\PowerQuest
2007-02-18 20:15 24,192 ----a-w C:\Documents and Settings\adi\usbsermptxp.sys
2007-02-18 20:15 22,768 ----a-w C:\Documents and Settings\adi\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Resume copy"="copyfstq.exe" [2007-01-28 19:07 73728 C:\WINDOWS\copyfstq.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-16 23:33 185896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23 34504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2002-08-19 22:22 50880 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2002-08-19 22:23 34504 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]
--a------ 2006-09-13 08:58 2154496 C:\Program Files\VDOTool\TBPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-11-08 13:27 222208 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-28 14:45 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-11-02 16:59 218240 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 12:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4edbefe-aef9-11db-9238-000461525409}]
\Shell\AutoRun\command - J:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 13:40:11 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-01-27 13:37:02 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-29 20:42:44 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 22:42:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-01-29 22:59:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 20:44:24
ComboFix2.txt 2008-01-29 16:47:17
.
2008-01-21 22:17:28 --- E O F ---





AND







Logfile of HijackThis v1.99.1
Scan saved at 11:01:09 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\adi\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{22781AE0-F508-410A-BC06-057E1F32EDE0}: NameServer = 62.231.76.49 81.18.85.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F2C091-C153-4EAA-86F6-2C3EF4307C23}: NameServer = 217.156.110.1,86.104.16.10,62.231.76.49
O17 - HKLM\System\CS1\Services\Tcpip\..\{22781AE0-F508-410A-BC06-057E1F32EDE0}: NameServer = 62.231.76.49 81.18.85.7
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

[Trevuren]

A. Using Windows Search function, please perform a search for the following fle and tell me if it is present or not:

C:\WINDOWS\system32\wdfmgr.exe


B. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u4.
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• In the pull down menu next to Platform select Windows
• Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.

• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  
  • Downloaded Applets
    Downloaded Applications
    Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

C. We must now check your entire system for any "baddies" that may still be lurking:

I need you to run the following scan: Eset Online Scanner

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Do Not place a check mark in the box beside Remove found threats.
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click the Details tab.
• Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

[lawrentioo]

A. found it in:
C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}

B. updated
OBS: When i did uninstall the old version, a window poped up , loodek like this :




C. the scan took some time , here is the log :

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2836 (20080130)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=591683623fe10a4ca7206d76a75ea63e
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-30 08:32:04
# local_time=2008-01-30 10:32:04 (+0200, GTB Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=582236
# found=8
# scan_time=8403
E:\school\@__LAWRENTZIOO\dvd playere\Cdvd.exe Win32/Adware.NdotNet application 68AE2FEA41AC8F6EE42353FACDE207BB
E:\school\@__LAWRENTZIOO\dvd playere\Cdvd.exe »NSIS »NNCLXA638.EXE Win32/Adware.NdotNet application 00000000000000000000000000000000
E:\school\@__LAWRENTZIOO\yahoo tools\status_tool.zip probably a variant of Win32/Flooder.IM.VB.A trojan 6B0A63F701A033E67E069A48E023F041
E:\school\@__LAWRENTZIOO\yahoo tools\status_tool.zip »ZIP »Y! Blue Stat 4.exe probably a variant of Win32/Flooder.IM.VB.A trojan 00000000000000000000000000000000
E:\school\@__LAWRENTZIOO\yahoo tools\yamp.zip probably a variant of Win32/Flooder.IM.VB.A trojan 5090039AFE8C1506F6C6522D1166F4D9
E:\school\@__LAWRENTZIOO\yahoo tools\yamp.zip »ZIP »yampm6-312.exe probably a variant of Win32/Flooder.IM.VB.A trojan 00000000000000000000000000000000
E:\school\@__LAWRENTZIOO\yahoo tools\status_tool\Y! Blue Stat 4.exe probably a variant of Win32/Flooder.IM.VB.A trojan 6CB1E1E7DFB72E7F2B15F76768242C21
E:\school\@__LAWRENTZIOO\yahoo tools\yamp\yampm6-312.exe probably a variant of Win32/Flooder.IM.VB.A trojan E6164556BABFB8B0D6C76CD9FBB90B74

[Trevuren]

Please DELETE the following files/folder as they are infected:

E:\school\@__LAWRENTZIOO\dvd playere\Cdvd.exe<==File
E:\school\@__LAWRENTZIOO\yahoo tools\status_tool.zip<==File
E:\school\@__LAWRENTZIOO\yahoo tools\yamp.zip<==File
E:\school\@__LAWRENTZIOO\yahoo tools\status_tool\Y! Blue Stat 4.exe<==File
E:\school\@__LAWRENTZIOO\yahoo tools\yamp<==Folder and all its content


Your logs will be clean after doing the above. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures and recommendations.

Trevuren

[lawrentioo]

i have deleted those files, looks ok now, no other bad signs and i am waiting for the last instructions. Mr. Trevuren, thank you very much for your time and help!!

[Trevuren]

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  
  
• 

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab.
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  
  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

7. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?