WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] malware.. please help

Started by zeitcheist , Apr 23 2008 10:08 AM

This topic is locked

28 replies to this topic

#16 zeitcheist

Authentic Member

Authentic Member
20 posts

Posted 26 April 2008 - 11:50 AM

HI!

I posted an image of msconfig window. You can see the image before your latest reply.

The processes are run by rundll32. They kept on popping up, with random filename.

What do you recommend me to remove? I have a bunch of programs here downloaded thru torrent. So how can i know if they're infected in the first place?

Thanks for your help!

Advertisements

Register to Remove

#17 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 26 April 2008 - 01:08 PM

OK, looks like you've got re-infected, or we missed something.

Have you connected any USB devices to your computer ?

We need to disable Ad-Watch as it will interfere with any attempts we make to fix things.

To disable Ad-Watch:

Right-click on the Ad-Watch icon in the system tray
Select "Restore Ad-Watch"
At the bottom of the screen you will see 2 options -- Active and Automatic.
Uncheck both options (red X).
Since you will likely be doing several shutdown/restarts, under Tools & Preferences > Options > Activity > Deselect "Load Ad-Watch at Windows startup"

Note: When Ad-Watch is re-enabled, it is vital that you accept any changes that may be alerted by Ad-Watch.

Next

Run a scan with Combofix

First
- Important! Temporarily disable your anti-virus, and anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its files which may cause unpredictable results.
- Click here to see a list of programs that should be disabled (ignore the firewalls). The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Double click combofix.exe & follow the prompts.
Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.
When finished, it will
- Produce a log for you. (it can also be found at C:\Combofix.txt)
- Restore your Internet connection.
Post the log in your next reply please.
Now run a new HJT scan and send me the log from that as well please.

IMPORTANT

Do not use your computer while Combofix is running.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.

#18 zeitcheist

Authentic Member

Authentic Member
20 posts

Posted 27 April 2008 - 12:31 AM

Done with everything. I think it's my fault downloading from torrent while fixing this machine. I just wanted to have ad-aware for protection. Sorry for that. Anyway, here are the new logs.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 08-04-22.5 - Bondoc 2008-04-27 14:09:03.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.550 [GMT 8:00]
Running from: D:\Installers\Malware Utils\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\upkithuj.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 22:15 . 2008-04-26 22:15 <DIR> d-------- C:\_OTMoveIt
2008-04-26 16:33 . 2008-04-26 19:22 109,776 --a------ C:\WINDOWS\BMd3fd8e8f.xml
2008-04-26 15:54 . 2008-04-26 16:51 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2008-04-26 15:54 . 2008-04-26 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-26 11:23 . 2008-04-26 11:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 11:23 . 2008-04-26 11:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-25 22:55 . 2008-04-25 22:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 22:55 . 2008-04-25 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 17:48 . 2008-04-25 17:48 <DIR> d-------- C:\Program Files\Malwarebytes
2008-04-25 17:48 . 2008-04-25 17:48 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\Malwarebytes
2008-04-25 17:48 . 2008-04-25 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 14:10 . 2008-04-25 14:16 <DIR> d-------- C:\Program Files\SimCity 4 Deluxe
2008-04-25 14:10 . 2008-04-25 14:10 530 --a------ C:\WINDOWS\eReg.dat
2008-04-23 18:58 . 2008-04-26 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-22 20:25 . 2008-04-22 20:25 <DIR> d-------- C:\Program Files\FileZilla FTP
2008-04-22 20:25 . 2008-04-23 14:17 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\FileZilla
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\Program Files\WinSCP
2008-04-22 20:00 . 2008-04-22 20:00 138 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-15 07:08 . 2007-12-18 01:16 65,536 --a------ C:\npkimi.dll
2008-04-15 02:07 . 2008-04-17 23:25 <DIR> d-------- C:\Program Files\Veoh
2008-04-14 23:17 . 2008-04-14 23:17 <DIR> d-------- C:\Program Files\Uniblue
2008-04-14 23:17 . 2008-04-14 23:17 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\Uniblue
2008-04-14 18:10 . 2008-04-14 18:10 <DIR> d-------- C:\Program Files\SmartFTP
2008-04-14 16:33 . 2008-04-15 02:11 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\MegauploadToolbar
2008-04-13 23:55 . 2008-04-13 23:55 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\Meridian93
2008-04-13 23:03 . 2008-04-14 23:48 <DIR> d-------- C:\Program Files\Garena
2008-04-13 23:03 . 2008-04-13 23:03 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\InstallShield
2008-04-13 23:03 . 2006-03-14 02:26 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2008-04-13 22:37 . 2008-04-16 03:56 <DIR> d-------- C:\Program Files\Magic Farm
2008-04-13 18:24 . 2008-04-13 18:25 <DIR> d-------- C:\Program Files\Safari
2008-04-13 16:51 . 2008-04-13 16:51 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\Jane s Hotel Family Hero
2008-04-07 13:26 . 2008-04-07 13:29 <DIR> d-------- C:\Program Files\J2ME-Polish
2008-04-07 01:33 . 2008-04-07 01:33 <DIR> d-------- C:\Documents and Settings\Bondoc\workspace
2008-04-05 21:43 . 2008-04-05 21:43 72 --a------ C:\WINDOWS\MediaManager.INI
2008-04-03 20:48 . 2008-04-03 20:49 11,024 --a------ C:\WINDOWS\system32\productregistry
2008-04-03 20:47 . 2008-04-03 20:47 <DIR> d-------- C:\Sun
2008-03-29 21:39 . 2008-03-29 21:47 <DIR> d-------- C:\Program Files\QuickTime
2008-03-29 21:39 . 2008-03-29 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 06:13 --------- d-----w C:\Program Files\cFosSpeed
2008-04-26 14:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-26 14:01 --------- d-----w C:\Program Files\Warcraft III
2008-04-26 10:00 --------- d-----w C:\Program Files\Navigator 9
2008-04-26 07:58 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\uTorrent
2008-04-25 14:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-23 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-23 13:08 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\LimeWire
2008-04-23 11:05 --------- d-----w C:\Program Files\Google
2008-04-21 11:39 --------- d-----w C:\Program Files\Norton SystemWorks
2008-04-14 23:08 --------- d-----w C:\Program Files\Imikimi
2008-04-14 18:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 13:48 --------- d-----w C:\Program Files\PPLive
2008-04-14 10:08 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-04-13 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-13 15:03 --------- d-----w C:\Program Files\GG E-Sports Platform
2008-04-13 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-03 06:23 --------- d-----w C:\Program Files\Counter Strike
2008-03-31 05:37 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\Wildfire
2008-03-29 13:43 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\Apple Computer
2008-03-29 07:50 --------- d-----r C:\Program Files\TypingMaster
2008-03-29 04:48 --------- d-----w C:\Program Files\Bonjour
2008-03-28 13:09 --------- d-----w C:\Program Files\Neuber TaskMngr
2008-03-21 08:56 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\Netscape
2008-03-20 10:14 --------- d-----w C:\Program Files\Opera
2008-03-20 09:58 --------- d-----w C:\Program Files\Apple Software Update
2008-03-20 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-20 09:43 --------- d-----w C:\Program Files\PremiumSoft
2008-03-06 13:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 13:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 13:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-22 19:23 3,928,264 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-12-22 19:05 411,248 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-09-12 02:19 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-12 02:22 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-25_ 5.44.47.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 21:38:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 06:13:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 07:55:15 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-04-26 07:55:15 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-04-26 07:55:15 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-04-26 07:55:15 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 09:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 08:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 08:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-14 07:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2008-04-27 06:13:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-11-24 20:24 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2007-11-24 20:24 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-11-24 20:24 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-07-09 17:10 838608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bondoc^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bondoc^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-05-16 09:27 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMd3fd8e8f]
C:\WINDOWS\system32\rskmtbth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 22:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d0cebd13]
C:\WINDOWS\system32\juhtikpu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-05-15 15:55 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Save and Restore]
--a------ 2007-03-26 15:45 1582696 C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSRKey]
--a------ 2007-03-26 15:45 1582696 C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]
--a------ 2007-12-03 01:41 25472 C:\Program Files\Norton SystemWorks\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2006-09-06 10:22 26248 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-20 15:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-05-15 15:55 1628208 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
--a------ 2007-05-16 10:45 8975904 C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XDc]
--a------ 2006-10-03 12:09 1383478 C:\Program Files\Xtreme Desktop\xdc\startxdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-07-16 15:17 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\Python\\pythonw.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"\\\\ZEIT\\DATA (D)\\Programs\\PerfectWorld\\launcher\\Launcher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Programs\\Xampp\\mysql\\bin\\mysqld.exe"=
"D:\\Programs\\Xampp\\apache\\bin\\apache.exe"=
"C:\\Documents and Settings\\Bondoc\\.netbeans\\5.5\\emulators\\wtk22_win\\emulator\\wtk22\\bin\\emulator.exe"=
"C:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe"=
"C:\\Documents and Settings\\Bondoc\\.netbeans\\5.5\\emulators\\wtk22_win\\emulator\\wtk22\\bin\\zayit.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Counter Strike\\hl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jdk1.6.0\\bin\\java.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"D:\\SunWTK\\bin\\emulator.exe"=
"D:\\SunWTK\\bin\\zayit.exe"=
"C:\\Program Files\\Garena\\Garena.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\WinSCP\\WinSCP.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6119:TCP"= 6119:TCP:war3port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R2 Norton Save and Restore;Norton Save and Restore;C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe [2007-03-26 15:45]
R2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys [2004-12-13 09:44]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 05:10]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 07:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command -
\Shell\explore\Command -
\Shell\open\Command -

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command -
\Shell\explore\Command -
\Shell\open\Command -

.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 09:39:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-25 13:16:21 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bondoc.job"
- C:\PROGRA~1\NORTON~2\Navw32.exeh/TASK:
"2008-04-21 11:39:29 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-24 15:17:02 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-14 15:17:44 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 14:14:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-04-27 14:19:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 06:19:53
ComboFix2.txt 2008-04-25 18:27:12
ComboFix3.txt 2008-04-25 18:18:28
ComboFix4.txt 2008-04-25 09:31:45
ComboFix5.txt 2008-04-24 21:45:11

Pre-Run: 9,095,933,952 bytes free
Post-Run: 9,044,525,056 bytes free

315 --- E O F --- 2008-04-13 19:12:21

#19 zeitcheist

Authentic Member

Authentic Member
20 posts

Posted 27 April 2008 - 12:32 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:53 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\explorer.exe
D:\Installers\Malware Utils\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10196 bytes

#20 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 27 April 2008 - 02:02 AM

Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.

File::
C:\WINDOWS\BMd3fd8e8f.xml
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\ImageOle.dll
C:\WINDOWS\system32\rskmtbth.dll
C:\WINDOWS\system32\juhtikpu.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMd3fd8e8f]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d0cebd13]

Click Format and ensure Wordwrap is unchecked.
Save as CFScript.txt to your Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

Next

Click on the Malwarebytes' Anti-Malware icon to launch the programme.
- Click the Updates tab.
- Click Check for Updates and allow the programme to download the latest definitions. (This is important)
Click the Scanner tab.
- Check Perform Quick Scan.
- Click Scan and wait for the scan to complete.
- When the scan is complete, click OK, then Show Results.
- Ensure all items are checked then click Remove Selected.
- A box will pop-up telling you that files have been quarantined.
- A log will pop-up.
Post the log in your next reply please.

[/list]
You can also access the log by doing the following

Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open

Next

Run a new scan with Kaspersky online scanner and post me the log please.

Next

Run a new scan with HJT and post me the log please.

Summary of the logs I need from you in your next post:
New Combofix log
New MBAM log
New Kaspersky log
New HJT log

Please post each log separately to prevent them being cut off by the forum post size limiter.

Edited by Gary R, 27 April 2008 - 02:03 AM.

#21 zeitcheist

Authentic Member

Authentic Member
20 posts

Posted 27 April 2008 - 05:57 AM

Okay, these are the latest logs.

*********************************************************************
ComboFix
*********************************************************************

ComboFix 08-04-22.5 - Bondoc 2008-04-27 16:12:28.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT 8:00]
Running from: D:\Installers\Malware Utils\ComboFix.exe
Command switches used :: D:\Installers\Malware Utils\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMd3fd8e8f.xml
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\ImageOle.dll
C:\WINDOWS\system32\juhtikpu.dll
C:\WINDOWS\system32\rskmtbth.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMd3fd8e8f.xml
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\ImageOle.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 22:15 . 2008-04-26 22:15 <DIR> d-------- C:\_OTMoveIt
2008-04-26 15:54 . 2008-04-26 16:51 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2008-04-26 15:54 . 2008-04-26 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-25 22:55 . 2008-04-25 22:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 22:55 . 2008-04-25 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 17:48 . 2008-04-25 17:48 <DIR> d-------- C:\Program Files\Malwarebytes
2008-04-25 17:48 . 2008-04-25 17:48 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\Malwarebytes
2008-04-25 17:48 . 2008-04-25 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 14:10 . 2008-04-25 14:16 <DIR> d-------- C:\Program Files\SimCity 4 Deluxe
2008-04-25 14:10 . 2008-04-25 14:10 530 --a------ C:\WINDOWS\eReg.dat
2008-04-23 18:58 . 2008-04-26 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-22 20:25 . 2008-04-22 20:25 <DIR> d-------- C:\Program Files\FileZilla FTP
2008-04-22 20:25 . 2008-04-23 14:17 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\FileZilla
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\Program Files\WinSCP
2008-04-22 20:00 . 2008-04-22 20:00 138 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-15 07:08 . 2007-12-18 01:16 65,536 --a------ C:\npkimi.dll
2008-04-15 02:07 . 2008-04-17 23:25 <DIR> d-------- C:\Program Files\Veoh
2008-04-14 23:17 . 2008-04-14 23:17 <DIR> d-------- C:\Program Files\Uniblue
2008-04-14 23:17 . 2008-04-14 23:17 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\Uniblue
2008-04-14 18:10 . 2008-04-14 18:10 <DIR> d-------- C:\Program Files\SmartFTP
2008-04-14 16:33 . 2008-04-15 02:11 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\MegauploadToolbar
2008-04-13 23:55 . 2008-04-13 23:55 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\Meridian93
2008-04-13 23:03 . 2008-04-14 23:48 <DIR> d-------- C:\Program Files\Garena
2008-04-13 23:03 . 2008-04-13 23:03 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\InstallShield
2008-04-13 22:37 . 2008-04-16 03:56 <DIR> d-------- C:\Program Files\Magic Farm
2008-04-13 18:24 . 2008-04-13 18:25 <DIR> d-------- C:\Program Files\Safari
2008-04-13 16:51 . 2008-04-13 16:51 <DIR> d-------- C:\Documents and Settings\Bondoc\Application Data\Jane s Hotel Family Hero
2008-04-07 13:26 . 2008-04-07 13:29 <DIR> d-------- C:\Program Files\J2ME-Polish
2008-04-07 01:33 . 2008-04-07 01:33 <DIR> d-------- C:\Documents and Settings\Bondoc\workspace
2008-04-05 21:43 . 2008-04-05 21:43 72 --a------ C:\WINDOWS\MediaManager.INI
2008-04-03 20:48 . 2008-04-03 20:49 11,024 --a------ C:\WINDOWS\system32\productregistry
2008-04-03 20:47 . 2008-04-03 20:47 <DIR> d-------- C:\Sun
2008-03-29 21:39 . 2008-03-29 21:47 <DIR> d-------- C:\Program Files\QuickTime
2008-03-29 21:39 . 2008-03-29 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 08:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 08:11 --------- d-----w C:\Program Files\cFosSpeed
2008-04-26 14:01 --------- d-----w C:\Program Files\Warcraft III
2008-04-26 10:00 --------- d-----w C:\Program Files\Navigator 9
2008-04-26 07:58 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\uTorrent
2008-04-25 14:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-23 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-23 13:08 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\LimeWire
2008-04-23 11:05 --------- d-----w C:\Program Files\Google
2008-04-21 11:39 --------- d-----w C:\Program Files\Norton SystemWorks
2008-04-14 23:08 --------- d-----w C:\Program Files\Imikimi
2008-04-14 18:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 13:48 --------- d-----w C:\Program Files\PPLive
2008-04-14 10:08 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-04-13 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-13 15:03 --------- d-----w C:\Program Files\GG E-Sports Platform
2008-04-13 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-03 06:23 --------- d-----w C:\Program Files\Counter Strike
2008-03-31 05:37 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\Wildfire
2008-03-29 13:43 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\Apple Computer
2008-03-29 07:50 --------- d-----r C:\Program Files\TypingMaster
2008-03-29 04:48 --------- d-----w C:\Program Files\Bonjour
2008-03-28 13:09 --------- d-----w C:\Program Files\Neuber TaskMngr
2008-03-21 08:56 --------- d-----w C:\Documents and Settings\Bondoc\Application Data\Netscape
2008-03-20 10:14 --------- d-----w C:\Program Files\Opera
2008-03-20 09:58 --------- d-----w C:\Program Files\Apple Software Update
2008-03-20 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-20 09:43 --------- d-----w C:\Program Files\PremiumSoft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-06 13:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 13:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 13:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-22 19:23 3,928,264 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-12-22 19:05 411,248 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-09-12 02:19 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-12 02:22 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-25_ 5.44.47.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 21:38:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 06:13:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 07:55:15 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-04-26 07:55:15 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-04-26 07:55:15 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-04-26 07:55:15 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 09:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 08:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 08:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-14 07:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2008-04-27 06:13:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-11-24 20:24 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2007-11-24 20:24 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-11-24 20:24 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-07-09 17:10 838608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bondoc^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bondoc^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-05-16 09:27 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 22:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-05-15 15:55 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Save and Restore]
--a------ 2007-03-26 15:45 1582696 C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSRKey]
--a------ 2007-03-26 15:45 1582696 C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]
--a------ 2007-12-03 01:41 25472 C:\Program Files\Norton SystemWorks\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2006-09-06 10:22 26248 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-20 15:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-05-15 15:55 1628208 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
--a------ 2007-05-16 10:45 8975904 C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XDc]
--a------ 2006-10-03 12:09 1383478 C:\Program Files\Xtreme Desktop\xdc\startxdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-07-16 15:17 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\Python\\pythonw.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"\\\\ZEIT\\DATA (D)\\Programs\\PerfectWorld\\launcher\\Launcher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Programs\\Xampp\\mysql\\bin\\mysqld.exe"=
"D:\\Programs\\Xampp\\apache\\bin\\apache.exe"=
"C:\\Documents and Settings\\Bondoc\\.netbeans\\5.5\\emulators\\wtk22_win\\emulator\\wtk22\\bin\\emulator.exe"=
"C:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe"=
"C:\\Documents and Settings\\Bondoc\\.netbeans\\5.5\\emulators\\wtk22_win\\emulator\\wtk22\\bin\\zayit.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Counter Strike\\hl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jdk1.6.0\\bin\\java.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"D:\\SunWTK\\bin\\emulator.exe"=
"D:\\SunWTK\\bin\\zayit.exe"=
"C:\\Program Files\\Garena\\Garena.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\WinSCP\\WinSCP.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6119:TCP"= 6119:TCP:war3port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R2 Norton Save and Restore;Norton Save and Restore;C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe [2007-03-26 15:45]
R2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys [2004-12-13 09:44]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 05:10]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 07:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command -
\Shell\explore\Command -
\Shell\open\Command -

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command -
\Shell\explore\Command -
\Shell\open\Command -

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 09:39:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-25 13:16:21 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bondoc.job"
- C:\PROGRA~1\NORTON~2\Navw32.exeh/TASK:
"2008-04-21 11:39:29 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-24 15:17:02 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-14 15:17:44 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 16:14:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-27 16:16:52
ComboFix-quarantined-files.txt 2008-04-27 08:16:45
ComboFix2.txt 2008-04-27 06:19:57
ComboFix3.txt 2008-04-25 18:27:12
ComboFix4.txt 2008-04-25 18:18:28
ComboFix5.txt 2008-04-25 09:31:45

Pre-Run: 9,009,987,584 bytes free
Post-Run: 9,054,851,072 bytes free

306 --- E O F --- 2008-04-13 19:12:21

Edited by Gary R, 27 April 2008 - 08:44 AM.

#22 zeitcheist

Authentic Member

Authentic Member
20 posts

Posted 27 April 2008 - 05:59 AM

********************************************************************* Malwarebytes' Anti-malware ********************************************************************* Malwarebytes' Anti-Malware 1.11 Database version: 686 Scan type: Quick Scan Objects scanned: 36687 Time elapsed: 6 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Edited by Gary R, 27 April 2008 - 08:44 AM.

#23 zeitcheist

Authentic Member

Authentic Member
20 posts

Posted 27 April 2008 - 06:00 AM

********************************************************************* Kaspersky ********************************************************************* ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, April 27, 2008 7:54:41 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 27/04/2008 Kaspersky Anti-Virus database records: 727193 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 265621 Number of viruses found: 5 Number of infected objects: 15 Number of suspicious objects: 0 Duration of the scan process: 03:23:49 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\854BB783.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped C:\Documents and Settings\Bondoc\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\History\History.IE5\MSHist012008042720080428\index.dat Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Temp\Acr50A1.tmp Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Temp\lilo2 Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Temp\lilo3 Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Temp\lilo4 Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Temp\Perflib_Perfdata_e80.dat Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Bondoc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Bondoc\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Bondoc\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\billing_Bondoc.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\client_Bondoc.log Object is locked skipped C:\Program Files\Yahoo!\Messenger\logs\network_Bondoc.log Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{E3645A28-D39A-4609-999E-ADE608620EFE}\RP290\A0355009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.odh skipped C:\System Volume Information\_restore{E3645A28-D39A-4609-999E-ADE608620EFE}\RP291\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped C:\WINDOWS\system32\config\OSession.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_1d0.dat Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\_OTMoveIt\MovedFiles\04262008_221525\Installers\Java\DJ Java Decompiler 3.9\SetupDJ4.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped C:\_OTMoveIt\MovedFiles\04262008_221525\Torrent\Lavasoft_Ad-Aware_2007_Pro_7.0.2.7\aaw2007.exe/data0000.cab/setup.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm skipped C:\_OTMoveIt\MovedFiles\04262008_221525\Torrent\Lavasoft_Ad-Aware_2007_Pro_7.0.2.7\aaw2007.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm skipped C:\_OTMoveIt\MovedFiles\04262008_221525\Torrent\Lavasoft_Ad-Aware_2007_Pro_7.0.2.7\aaw2007.exe Rsrc-Package: infected - 2 skipped C:\_OTMoveIt\MovedFiles\04262008_221525\Torrent\Lavasoft_Ad-Aware_2007_Pro_7.0.2.7.rar/aaw2007.exe/data0000.cab/setup.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm skipped C:\_OTMoveIt\MovedFiles\04262008_221525\Torrent\Lavasoft_Ad-Aware_2007_Pro_7.0.2.7.rar/aaw2007.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm skipped C:\_OTMoveIt\MovedFiles\04262008_221525\Torrent\Lavasoft_Ad-Aware_2007_Pro_7.0.2.7.rar/aaw2007.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm skipped C:\_OTMoveIt\MovedFiles\04262008_221525\Torrent\Lavasoft_Ad-Aware_2007_Pro_7.0.2.7.rar RAR: infected - 3 skipped C:\_OTMoveIt\MovedFiles\04262008_221525\WINDOWS\system32\wgatray.exe.old Infected: Trojan-Dropper.Win32.Mudrop.dv skipped D:\Program Files\DAP\History\Bondoc\_lasthist.dat Object is locked skipped D:\Program Files\DAP\Log\DAP_REPORT.LOG Object is locked skipped D:\Program Files\DAP\Temp\ADS33EF.tmp Object is locked skipped D:\Program Files\DAP\Temp\ADS4619.tmp Object is locked skipped D:\Program Files\DAP\Temp\ADS578F.tmp Object is locked skipped D:\Program Files\DAP\Temp\ADSBCBD.tmp Object is locked skipped D:\Program Files\DAP\Temp\ADSCE5B.tmp Object is locked skipped D:\Program Files\DAP\Temp\ZAF74E8.tmp Object is locked skipped D:\Program Files\DAP\Temp\ZAF7655.tmp Object is locked skipped D:\Program Files\DAP\Temp\ZAU2F36.tmp Object is locked skipped D:\Program Files\DAP\Temp\ZAU6D2C.tmp Object is locked skipped D:\Program Files\DAP\Temp\ZAUFF78.tmp Object is locked skipped D:\Program Files\DAP\Updates\Condition.dll Object is locked skipped D:\Program Files\DAP\Updates\SPO3.ico Object is locked skipped D:\Program Files\DAP\Updates\UpdateList.xml Object is locked skipped D:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_b1a2e610-e911-4083-9094-8e52b70f4fdf Object is locked skipped D:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{E3645A28-D39A-4609-999E-ADE608620EFE}\RP290\A0355001.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped D:\System Volume Information\_restore{E3645A28-D39A-4609-999E-ADE608620EFE}\RP290\A0355002.exe/data0000.cab/setup.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm skipped D:\System Volume Information\_restore{E3645A28-D39A-4609-999E-ADE608620EFE}\RP290\A0355002.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm skipped D:\System Volume Information\_restore{E3645A28-D39A-4609-999E-ADE608620EFE}\RP290\A0355002.exe Rsrc-Package: infected - 2 skipped D:\System Volume Information\_restore{E3645A28-D39A-4609-999E-ADE608620EFE}\RP291\change.log Object is locked skipped D:\Windows\CSC\v2.0.6\pq Object is locked skipped D:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Object is locked skipped D:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Object is locked skipped Scan process completed.

Edited by Gary R, 27 April 2008 - 08:45 AM.

#24 zeitcheist

Authentic Member

Authentic Member
20 posts

Posted 27 April 2008 - 06:00 AM

*********************************************************************
Hijackthis
*********************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:36 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Installers\Malware Utils\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10354 bytes

Edited by Gary R, 27 April 2008 - 08:45 AM.

#25 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 27 April 2008 - 08:57 AM

OK, looks like you're clean. I don't think you were re-infected at all.

I think I know what happened.

Ad-Aware replaced the Registry entries that we'd earlier removed, which is why they re-appeared in your MS Config Startup folder.

When you re-enable Ad-Watch, please accept any alterations it flags to you (or it will just happen again).

OK, time for a little cleaning up.

Let's clear out Combofix and the files/folders it created

Click Start > Run
Copy/Paste ComboFix /u into the Run box.
Click OK
The following items will now be processed.
- Deletes the following files/folders:
- ComboFix.exe
- %system%\swxcacls.exe
- %system%\swsc.exe
- %system%\VFind.exe
- %system%\moveex.exe
- %system%\swreg.exe
- %systemroot%\catchme.exe
- \ComboFix
- \Qoobox
- \VundoFix Backups
- \Deckard
- \_OTMoveIt
- %systemroot%\erdnt\subs
Resets the clock settings.
Hides file extensions
Hides System/Hidden files
Clears System Restore cache and create new Restore point

IMPORTANT

Do not use your computer while Combofix is running.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately. Besides they're updated regularly so won't be of any use against future infections

Double click OTMoveIt2.exe to launch the programme.
Click on the CleanUp! button.
OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
You will be prompted to allow the clean up procedure, click Yes
When finished exit out of OTMoveIt
Now delete OTMoveIt2.exe (if still present).

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?

If you are let me know about them.
If not it's time to make your computer more secure.

Below are a series of recommendations which will help you keep more secure online.

Obviously you have already taken care of some of the issues mentioned, but it is important that you read through them, and address any that you may have missed.

Update your Java.
Older versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components. This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.

Close any programmes you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Download the latest version of Java Runtime Environment (JRE) 6u6, and install it to your computer.

Updating Windows and Internet Explorer
It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site and get the critical updates.

Use a "secure" browser
Install Internet Explorer 7 or an alternative browser like Firefox or Opera for more secure surfing.
Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected.

The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.

Spybot S & D
Spybot is a scanner. It scans for spyware and other malicious programs. It is important to have at least one malware scanner on your computer. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here
WinPatrol by BillPStudios is a programme that monitors your computer and notifies you if there are any unauthorised changes made to it. It gives you the option to allow or forbid the changes, thus guarding you against Malware installations. I consider this one a must have.

If you find you like it, you can get a lifetime upgrade to the Plus version for a small one time fee.
SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here
IE Spyad
It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
Hosts file:
Make sure you read the instructions on how to install the hosts file, here.
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
- Click the start button (at the lower left hand corner of your screen)
- Click run
- In the dialog box, type services.msc
- hit enter, then locate dns client
- Highlight it, then double-click it.
- On the dropdown box, change the setting from automatic to manual.
- Click ok

Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Computer Safety On line - LIST of free Anti virus programs
Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
See here to choose one.
Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site.

Here's links to a few articles which are well worth reading

Advertisements

Register to Remove

#26 zeitcheist

Authentic Member

Authentic Member
20 posts

Posted 27 April 2008 - 09:42 AM

Okay, i think the machine's fine now. Removed all the utilities you mentioned. I am removing Java now, still downloading the update 6. Anyway, can i continue using the SDK? I'm pretty sure it won't hurt my machine, will it? By the way, thanks for your help. Can you teach me how to remove such infections? I want to learn from you. If you just have spare time. I mean, you can send me email if you don't mind teaching me some. Thanks again!

#27 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 27 April 2008 - 01:18 PM

Not sure what you mean by SDK.

If you want to learn how to remove Malware, there's a school on this forum.

http://forums.whatth...tocom=dstaffapp

#28 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 02 May 2008 - 01:29 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

#29 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 02 May 2008 - 01:29 AM

Body Background

skin color theme