WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] CAN U HELP PLEASE

Started by CMROER , May 10 2008 09:18 PM

This topic is locked

17 replies to this topic

#1 CMROER

New Member

New Member
10 posts

Posted 10 May 2008 - 09:18 PM

Used this before without any problem but this time I have been really zapped and am not sure what to "fix". My task manager has been "disabled by your administrator", my desktop theme changed to a "warning dangerouos virus" . I ran Windows Defender and removed 8 viruses but still did not take care of all the problems. Any help is greatly appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 9:03:21 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\b2new.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack\QdrPack15.exe
C:\PROGRA~1\SMBOLS~1\ati2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.244.127:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: URLSearch Class - {965a592f-8efa-4250-8630-7960230792f1} - C:\WINDOWS\System32\cdsm32.dll (file missing)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {BCC0AD55-E81F-4DC7-8577-1D224C3F3F14} - C:\WINDOWS\system32\jkkKeddE.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\awtuvWmk.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsout...oad/tgctlcm.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MsSecurity Updated - Unknown - C:\WINDOWS\b2new.exe
O23 - Service: Symantec Client Firewall Service - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Client Firewall Proxy Service - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Advertisements

Register to Remove

#2 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 11 May 2008 - 09:40 AM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hi CMROER

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:

Perform all actions in the order given.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Stick with it till you're given the all clear.
Remember, absence of symptoms does not mean the infection is all gone.

If you can do these things, everything should go smoothly.

If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
If you're using Vista, it will be necessary to right click all tools we use and select ----> Run as Admistrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please be aware that clearing an infection from your computer is a potentially hazardous operation.

Removing Malware is a constantly evolving process, as we find means to remove infections, the Malware writers modify their creations to make it more difficult and dangerous for us to do so.

Because of this it is impossible for us to know exactly what is on your computer, or how it will react to the methods we use to remove it. Similarly there is no way for us to predict how the tools we use will interact with the particular combination of software and hardware on your computer.

Because of this, we strongly advise that you back up your personal files and folders to some 3rd party media (CD/DVD, USB Disk etc.) before starting the removal process.

OK, there's at least 2 major infections on your computer, and it'll take us a while to get it all removed. Stick with it, we should be able to get you clean.

There are some new infections that damage your ability to boot if they are removed. So before we go any further, I need you to install Recovery Console to your computer. This is purely a precautionary measure, I don't see signs of them on your computer, but it's better to be a little cautious now than regretful later.

Recovery Console gives us the ability to recover your computer if things go wrong.

Download combofix.exe by sUBs to your Desktop (it must be in this location).
Alternate Download
If you already have a previous version, delete it and download a new version.
Go to Microsoft's website
Select the download that's appropriate for your Operating System (if you have XP Media Centre, use download for XP Pro)

Download the file & save it as it's originally named, to your Desktop.

Next
Disconnect from the Internet.
Important! Temporarily disable your anti-virus, and anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its files which may cause unpredictable results.
Click here to see a list of programs that should be disabled (ignore the firewalls). The list is not all inclusive. If yours are not listed and you don't know how to disable them, please ask.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix.
When prompted, agree to the End-User License Agreement to install Microsoft Recovery Console.
When complete a mesage will pop up asking if you want to continue scanning for Malware.
- Click Yes
- Combofix will now run a scan. (Usually takes 15-20 mins, but could be slightly longer)
- When finished, it will
- Produce a log for you. (it can also be found at C:\Combofix.txt)
Post the log in your next reply please.
Now run a new HJT scan and send me the log from that as well please.

[*]Don't forget to re-enable your anti-virus and anti-malware protection before re-connecting to the Internet.
[/list]IMPORTANT

Do not use your computer while Combofix is running.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.

Edited by Gary R, 11 May 2008 - 09:46 AM.

#3 CMROER

New Member

New Member
10 posts

Posted 11 May 2008 - 12:59 PM

Took forever getting back online to read your response, which was GREATLY APPRECIATED. Have completed combofix (that took forever just to get on the internet to load, have been trying since 9 this morning!). Anyway, am posting the comboxfix.txt. and then the new hijack scan also.

ComboFix 08-05-09.1 - Owner 2008-05-11 14:22:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.117 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WinXP_EN_HOM_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\smbols~1
C:\Program Files\smbols~1\ati2evxx.exe
C:\Program Files\smbols~1\s?mbols\
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\bundles
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\aGQBbcdd.ini
C:\WINDOWS\system32\aGQBbcdd.ini2
C:\WINDOWS\system32\aknapdoa.ini
C:\WINDOWS\system32\dfbdlomv.ini
C:\WINDOWS\system32\EddeKkkj.ini
C:\WINDOWS\system32\EddeKkkj.ini2
C:\WINDOWS\system32\hhghPqru.ini
C:\WINDOWS\system32\hhghPqru.ini2
C:\WINDOWS\system32\hiSrCcfe.ini
C:\WINDOWS\system32\hiSrCcfe.ini2
C:\WINDOWS\system32\llneqalp.ini
C:\WINDOWS\system32\pbotnxsb.ini
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\wuauclt.dll
C:\WINDOWS\system32\XxIhPqss.ini
C:\WINDOWS\system32\XxIhPqss.ini2
C:\WINDOWS\system32\YccKQqss.ini
C:\WINDOWS\system32\YccKQqss.ini2
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_MSSECURITY1.209.4
-------\Service_6to4
-------\Service_MsSecurity1.209.4

((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 13:38 . 2008-05-11 13:38 83,024 --a------ C:\WINDOWS\system32\bsxntobp.dll
2008-05-11 13:38 . 2008-05-11 13:38 2,048 --a------ C:\WINDOWS\system32\xflbdvdr.exe
2008-05-11 13:36 . 2008-05-11 13:36 98,912 --a------ C:\WINDOWS\system32\rvwsjfti.dll
2008-05-11 13:35 . 2008-05-11 13:35 316,464 --a------ C:\WINDOWS\system32\efcCrSih.dll
2008-05-11 13:35 . 2008-05-11 13:35 90,208 --a------ C:\WINDOWS\system32\cwrtddkx.dll
2008-05-11 12:08 . 2008-05-11 12:08 83,024 --a------ C:\WINDOWS\system32\aodpanka.dll
2008-05-11 12:08 . 2008-05-11 12:08 2,048 --a------ C:\WINDOWS\system32\poexnqrj.exe
2008-05-11 12:05 . 2008-05-11 12:05 98,912 --a------ C:\WINDOWS\system32\rrntijpg.dll
2008-05-11 12:03 . 2008-05-11 12:03 90,208 --a------ C:\WINDOWS\system32\ahhyarek.dll
2008-05-11 12:02 . 2008-05-11 12:02 316,464 --a------ C:\WINDOWS\system32\ddcbBQGa.dll
2008-05-11 10:52 . 2008-05-11 10:52 98,912 --a------ C:\WINDOWS\system32\icconymw.dll
2008-05-11 10:47 . 2008-05-11 10:47 90,208 --a------ C:\WINDOWS\system32\rgawvpyo.dll
2008-05-11 10:47 . 2008-05-11 10:47 2,048 --a------ C:\WINDOWS\system32\lvekilke.exe
2008-05-11 10:46 . 2008-05-11 10:46 316,464 --a------ C:\WINDOWS\system32\ssqQKccY.dll
2008-05-11 07:41 . 2008-05-11 07:41 83,024 --a------ C:\WINDOWS\system32\plaqenll.dll
2008-05-11 07:41 . 2008-05-11 07:41 2,048 --a------ C:\WINDOWS\system32\fuvmxgdl.exe
2008-05-11 07:39 . 2008-05-11 14:08 109,876 --a------ C:\WINDOWS\BMffe08c59.xml
2008-05-11 07:39 . 2008-05-11 07:39 90,208 --a------ C:\WINDOWS\system32\nvavioew.dll
2008-05-11 07:38 . 2008-05-11 07:38 316,464 --a------ C:\WINDOWS\system32\urqPhghh.dll
2008-05-10 17:15 . 2008-05-10 17:15 41,724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-10 17:14 . 2008-05-10 17:14 25,728 --a------ C:\WINDOWS\system32\awtuvWmk.dll
2008-05-10 17:13 . 2008-05-10 17:13 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-09 14:10 . 2008-05-09 14:10 187,904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 16:13 --------- d-----w C:\Program Files\Google
2008-04-23 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BF6ACED-B17A-438E-BBB5-034F934FE086}]
2008-05-11 07:38 316464 --a------ C:\WINDOWS\system32\urqPhghh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60B0434F-D4DA-4F88-BB6D-F4C6060036B9}]
2008-05-11 14:44 316464 --a------ C:\WINDOWS\system32\ssqRLBuv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c5c2a47-7ca7-41c6-be15-c02a1a516c0c}]
2008-05-11 13:36 98912 --a------ C:\WINDOWS\system32\rvwsjfti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{929AA2F0-FA87-460A-AD5C-49BB831794D5}]
2008-05-11 10:46 316464 --a------ C:\WINDOWS\system32\ssqQKccY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B17932ED-E657-4C28-9B06-236CD8570A22}]
2008-05-11 13:35 316464 --a------ C:\WINDOWS\system32\efcCrSih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-10 17:14 25728 --a------ C:\WINDOWS\system32\awtuvWmk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D96695E6-2D32-436F-B82E-EC287DD12A92}]
2008-05-11 12:02 316464 --a------ C:\WINDOWS\system32\ddcbBQGa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [2002-03-19 18:30 45632]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05 45056]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11 69632]
"USSShReg"="C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe" [1997-11-23 04:16 20992]
"iamapp"="C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE" [2003-05-21 05:13 373976]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21 90112]
"fcd3bfc5"="C:\WINDOWS\system32\bsxntobp.dll" [2008-05-11 13:38 83024]
"BMffe08c59"="C:\WINDOWS\system32\mqjejuac.dll" [2008-05-11 14:47 90208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\awtuvWmk.dll [2008-05-10 17:14 25728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuvWmk]
awtuvWmk.dll 2008-05-10 17:14 25728 C:\WINDOWS\system32\awtuvWmk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqRLBuv

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.NEWMAN^Start Menu^Programs^Startup^AutoPlay.exe]
path=C:\Documents and Settings\Administrator.NEWMAN\Start Menu\Programs\Startup\AutoPlay.exe
backup=C:\WINDOWS\pss\AutoPlay.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ipix.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipix.exe
backup=C:\WINDOWS\pss\ipix.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scanner Detector.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Scanner Detector.lnk
backup=C:\WINDOWS\pss\Scanner Detector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk
backup=C:\WINDOWS\pss\SmartUI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a--c--- 2002-09-10 22:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMffe08c59]
--a------ 2008-05-11 07:39 90208 C:\WINDOWS\system32\nvavioew.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
--a------ 2002-06-08 04:20 86016 C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
--a------ 2002-06-08 04:18 122880 C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2002-07-16 11:03 106549 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcd3bfc5]
--a------ 2008-05-11 07:41 83024 C:\WINDOWS\system32\plaqenll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
--a--c--- 2006-11-01 21:46 30928 C:\Program Files\GAMES\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-05-15 06:29 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2002-06-10 17:06 36864 C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc]
C:\WINDOWS\system32\nrnvpu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
E:\CDSETUP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-07-28 15:19 4841472 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-07-28 15:19 852038 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2002-06-10 16:37 45108 C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-06-14 19:39 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-20 18:20 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2001-12-19 02:39 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\PROGRA~1\REGIST~1\regclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-05-09 11:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-13 14:26 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
--a------ 2002-02-28 15:57 20480 C:\WINDOWS\wt\updater\wcmdmgrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsync]
C:\WINDOWS\system32\kykwcp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wovax]
C:\WINDOWS\wovax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adstartup"=C:\WINDOWS\System32\automove.exe
"BullsEye Network"=C:\Program Files\BullsEye Network\bin\bargains.exe
"sais"=c:\program files\180solutions\sais.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Quake III Arena\\quake3.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Kiplingers Home and Business Attorney\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 10:42]
R2 NISSERV;Symantec Client Firewall Service;C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE [2003-05-21 05:18]
R2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [1998-04-17 13:23]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-08-01 12:00]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 13:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 13:12]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 PCDRDRV;Pcdr Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 14:53]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:04]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea]
C:\WINDOWS\system32\ocobmdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea]
C:\WINDOWS\system32\ocobmdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 18:37:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 14:35:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\pbotnxsb.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\awtuvWmk.dll
-> C:\WINDOWS\System32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\bsxntobp.dll
-> C:\WINDOWS\system32\mqjejuac.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-11 14:49:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-11 18:48:53

Pre-Run: 77,523,050,496 bytes free
Post-Run: 78,016,851,968 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

385 --- E O F --- 2008-05-09 13:47:16

hijack file

It won't let me save a log file, it scans but when i hit save log it exits out.

#4 CMROER

New Member

New Member
10 posts

Posted 11 May 2008 - 01:00 PM

#5 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 12 May 2008 - 01:36 AM

OK, we've got some of your infection, but there's a whole lot more to go at yet.

Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.

File::
C:\WINDOWS\system32\bsxntobp.dll
C:\WINDOWS\system32\xflbdvdr.exe
C:\WINDOWS\system32\rvwsjfti.dll
C:\WINDOWS\system32\efcCrSih.dll
C:\WINDOWS\system32\cwrtddkx.dll
C:\WINDOWS\system32\aodpanka.dll
C:\WINDOWS\system32\poexnqrj.exe
C:\WINDOWS\system32\rrntijpg.dll
C:\WINDOWS\system32\ahhyarek.dll
C:\WINDOWS\system32\ddcbBQGa.dll
C:\WINDOWS\system32\icconymw.dll
C:\WINDOWS\system32\rgawvpyo.dll
C:\WINDOWS\system32\lvekilke.exe
C:\WINDOWS\system32\ssqQKccY.dll
C:\WINDOWS\system32\plaqenll.dll
C:\WINDOWS\system32\fuvmxgdl.exe
C:\WINDOWS\BMffe08c59.xml
C:\WINDOWS\system32\nvavioew.dll
C:\WINDOWS\system32\urqPhghh.dll
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\system32\awtuvWmk.dll
C:\WINDOWS\b2new.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\WINDOWS\system32\ssqRLBuv.dll
C:\WINDOWS\system32\mqjejuac.dll
C:\WINDOWS\system32\kykwcp.exe
C:\WINDOWS\wovax.exe
C:\WINDOWS\System32\automove.exe
C:\WINDOWS\system32\ocobmdr.exe
C:\WINDOWS\system32\pbotnxsb.ini
C:\WINDOWS\system32\mqjejuac.dll

Folder::
C:\Program Files\BullsEye Network
c:\program files\180solutions

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BF6ACED-B17A-438E-BBB5-034F934FE086}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60B0434F-D4DA-4F88-BB6D-F4C6060036B9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c5c2a47-7ca7-41c6-be15-c02a1a516c0c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{929AA2F0-FA87-460A-AD5C-49BB831794D5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B17932ED-E657-4C28-9B06-236CD8570A22}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D96695E6-2D32-436F-B82E-EC287DD12A92}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fcd3bfc5"=-
"BMffe08c59"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuvWmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMffe08c59]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcd3bfc5]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsync]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wovax]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adstartup"=-
"BullsEye Network"=-
"sais"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Click Format and ensure Wordwrap is unchecked.
Save as CFScript.txt to your Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

Next

Please download Malwarebytes' Anti-Malware to your Desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Click on the Malwarebytes' Anti-Malware icon to launch the programme.
- Click the Updates tab.
- Click Check for Updates and allow the programme to download the latest definitions.
Click the Scanner tab.
- Check Perform Quick Scan.
- Click Scan and wait for the scan to complete.
- When the scan is complete, click OK, then Show Results.
- Ensure all items are checked then click Remove Selected.
- A box will pop-up telling you that files have been quarantined.
- A log will pop-up.
Post the log in your next reply please.

[/list]
You can also access the log by doing the following

Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open

Next

Run a new scan with HJT and post me the log please (if you still can't run HJT let me know).

Edited by Gary R, 12 May 2008 - 01:38 AM.

#6 CMROER

New Member

New Member
10 posts

Posted 12 May 2008 - 12:27 PM

You are a GODSEND!! BLESS YOU. I may not be done but I was able to get right on to post this whereas before it took literally hours of trying.

The Combofix with CFScript.txt

ComboFix 08-05-09.1 - Owner 2008-05-12 13:23:20.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\b2new.exe
C:\WINDOWS\BMffe08c59.xml
C:\WINDOWS\system32\ahhyarek.dll
C:\WINDOWS\system32\aodpanka.dll
C:\WINDOWS\System32\automove.exe
C:\WINDOWS\system32\awtuvWmk.dll
C:\WINDOWS\system32\bsxntobp.dll
C:\WINDOWS\system32\cwrtddkx.dll
C:\WINDOWS\system32\ddcbBQGa.dll
C:\WINDOWS\system32\efcCrSih.dll
C:\WINDOWS\system32\fuvmxgdl.exe
C:\WINDOWS\system32\icconymw.dll
C:\WINDOWS\system32\kykwcp.exe
C:\WINDOWS\system32\lvekilke.exe
C:\WINDOWS\system32\mqjejuac.dll
C:\WINDOWS\system32\nvavioew.dll
C:\WINDOWS\system32\ocobmdr.exe
C:\WINDOWS\system32\pbotnxsb.ini
C:\WINDOWS\system32\plaqenll.dll
C:\WINDOWS\system32\poexnqrj.exe
C:\WINDOWS\system32\rgawvpyo.dll
C:\WINDOWS\system32\rrntijpg.dll
C:\WINDOWS\system32\rvwsjfti.dll
C:\WINDOWS\system32\ssqQKccY.dll
C:\WINDOWS\system32\ssqRLBuv.dll
C:\WINDOWS\system32\urqPhghh.dll
C:\WINDOWS\system32\xflbdvdr.exe
C:\WINDOWS\wovax.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\b2new.exe
C:\WINDOWS\BMffe08c59.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ahhyarek.dll
C:\WINDOWS\system32\aodpanka.dll
C:\WINDOWS\system32\awtuvWmk.dll
C:\WINDOWS\system32\BKmVDcfe.ini
C:\WINDOWS\system32\BKmVDcfe.ini2
C:\WINDOWS\system32\cwrtddkx.dll
C:\WINDOWS\system32\ddcbBQGa.dll
C:\WINDOWS\system32\efcCrSih.dll
C:\WINDOWS\system32\fuvmxgdl.exe
C:\WINDOWS\system32\ggilnUtv.ini
C:\WINDOWS\system32\ggilnUtv.ini2
C:\WINDOWS\system32\hoeyuaed.ini
C:\WINDOWS\system32\icconymw.dll
C:\WINDOWS\system32\lvekilke.exe
C:\WINDOWS\system32\nvavioew.dll
C:\WINDOWS\system32\pbotnxsb.ini
C:\WINDOWS\system32\plaqenll.dll
C:\WINDOWS\system32\poexnqrj.exe
C:\WINDOWS\system32\rgawvpyo.dll
C:\WINDOWS\system32\rrntijpg.dll
C:\WINDOWS\system32\rvwsjfti.dll
C:\WINDOWS\system32\ssqQKccY.dll
C:\WINDOWS\system32\ssqRLBuv.dll
C:\WINDOWS\system32\urqPhghh.dll
C:\WINDOWS\system32\vipkduvl.ini
C:\WINDOWS\system32\vuBLRqss.ini
C:\WINDOWS\system32\vuBLRqss.ini2
C:\WINDOWS\system32\vxvpppgt.ini
C:\WINDOWS\system32\xflbdvdr.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 08:22 . 2008-05-12 08:22 83,008 --a------ C:\WINDOWS\system32\tgpppvxv.dll
2008-05-12 08:19 . 2008-05-12 08:19 2,048 --a------ C:\WINDOWS\system32\glvqcgoy.exe
2008-05-12 08:16 . 2008-05-12 08:16 98,896 --a------ C:\WINDOWS\system32\sxxsxlqg.dll
2008-05-12 08:14 . 2008-05-12 08:14 90,176 --a------ C:\WINDOWS\system32\safkcuth.dll
2008-05-12 08:13 . 2008-05-12 08:13 316,496 --a------ C:\WINDOWS\system32\efcDVmKB.dll
2008-05-11 20:22 . 2008-05-11 20:32 <DIR> d-------- C:\HJTV2
2008-05-11 17:32 . 2008-05-11 17:32 2,048 --a------ C:\WINDOWS\system32\kjcvbqwp.exe
2008-05-11 17:29 . 2008-05-11 17:29 98,912 --a------ C:\WINDOWS\system32\dhmscclq.dll
2008-05-11 17:27 . 2008-05-11 17:27 90,208 --a------ C:\WINDOWS\system32\lyrrqmjp.dll
2008-05-11 17:27 . 2008-05-11 17:27 83,024 --a------ C:\WINDOWS\system32\lvudkpiv.dll
2008-05-11 17:26 . 2008-05-11 17:26 316,464 --a------ C:\WINDOWS\system32\vtUnligg.dll
2008-05-11 14:52 . 2008-05-11 14:52 83,024 --a------ C:\WINDOWS\system32\deauyeoh.dll
2008-05-11 14:49 . 2008-05-11 14:49 98,912 --a------ C:\WINDOWS\system32\tmsguigo.dll
2008-05-11 14:47 . 2008-05-11 14:47 90,208 --a------ C:\WINDOWS\system32\mqjejuac.err
2008-05-11 14:47 . 2008-05-11 14:47 2,048 --a------ C:\WINDOWS\system32\ymntjieu.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 16:13 --------- d-----w C:\Program Files\Google
2008-04-23 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
.

((((((((((((((((((((((((((((( snapshot@2008-05-11_14.47.57.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-11 18:33:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 17:39:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-11 18:34:39 15,600 ----a-w C:\WINDOWS\system32\wacom.dat
+ 2008-05-12 17:40:33 15,600 ----a-w C:\WINDOWS\system32\wacom.dat
+ 2008-05-12 17:45:15 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{007D6D04-DFE7-44EC-8C0A-670F8B59A8E6}]
2008-05-11 17:26 316464 --a------ C:\WINDOWS\system32\vtUnligg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7a70e1bc-d3eb-44a6-8d9d-563bea98ccf3}]
2008-05-12 08:16 98896 --a------ C:\WINDOWS\system32\sxxsxlqg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8BAB139-B9AD-4364-9BF4-C3AB2BA390D1}]
2008-05-12 08:13 316496 --a------ C:\WINDOWS\system32\efcDVmKB.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [2002-03-19 18:30 45632]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05 45056]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11 69632]
"USSShReg"="C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe" [1997-11-23 04:16 20992]
"iamapp"="C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE" [2003-05-21 05:13 373976]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21 90112]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 03:56 158208]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.NEWMAN^Start Menu^Programs^Startup^AutoPlay.exe]
path=C:\Documents and Settings\Administrator.NEWMAN\Start Menu\Programs\Startup\AutoPlay.exe
backup=C:\WINDOWS\pss\AutoPlay.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ipix.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipix.exe
backup=C:\WINDOWS\pss\ipix.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scanner Detector.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Scanner Detector.lnk
backup=C:\WINDOWS\pss\Scanner Detector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk
backup=C:\WINDOWS\pss\SmartUI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a--c--- 2002-09-10 22:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
--a------ 2002-06-08 04:20 86016 C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
--a------ 2002-06-08 04:18 122880 C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2002-07-16 11:03 106549 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
--a--c--- 2006-11-01 21:46 30928 C:\Program Files\GAMES\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-05-15 06:29 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2002-06-10 17:06 36864 C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc]
C:\WINDOWS\system32\nrnvpu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
E:\CDSETUP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-07-28 15:19 4841472 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-07-28 15:19 852038 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2002-06-10 16:37 45108 C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-06-14 19:39 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-20 18:20 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2001-12-19 02:39 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\PROGRA~1\REGIST~1\regclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-05-09 11:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-13 14:26 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
--a------ 2002-02-28 15:57 20480 C:\WINDOWS\wt\updater\wcmdmgrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Quake III Arena\\quake3.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Kiplingers Home and Business Attorney\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 10:42]
R2 NISSERV;Symantec Client Firewall Service;C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE [2003-05-21 05:18]
R2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [1998-04-17 13:23]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-08-01 12:00]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 13:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 13:12]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 PCDRDRV;Pcdr Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 14:53]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:04]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea]
C:\WINDOWS\system32\ocobmdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea]
C:\WINDOWS\system32\ocobmdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 17:45:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 13:40:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-12 13:51:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 17:51:26
ComboFix2.txt 2008-05-11 18:49:12

Pre-Run: 82,177,064,960 bytes free
Post-Run: 82,162,302,976 bytes free

304 --- E O F --- 2008-05-09 13:47:16

The Malwarebytes log

Malwarebytes' Anti-Malware 1.12
Database version: 743

Scan type: Quick Scan
Objects scanned: 39949
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{339d8aff-0b42-4260-ad82-78ce605a9543} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a36a5936-cfd9-4b41-86bd-319a1931887f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{58634367-d62b-4c2c-86be-5aac45cdb671} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5f1abcdb-a875-46c1-8345-b72a4567e486} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8cba1b49-8144-4721-a7b1-64c578c9eed7} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d0288a41-9855-4a9b-8316-babe243648da} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearch.urlsearch (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearch.urlsearch.1 (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dyfuca_bh.sinkobj (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dyfuca_bh.sinkobj.1 (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cea206e8-8057-4a04-ace9-ff0d69a92297} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0be10b0d-b4db-4693-9b1f-9aead54d17dc} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adrotator.application (Adware.2ndThought ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e7145b1-ea07-42ce-9299-11df39ff54bd} (Adware.2ndThought ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{3e7145b1-ea07-42ce-9299-11df39ff54bd} (Adware.2ndThought ) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ISTbar (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sidefind (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbarISTbar (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c8bab139-b9ad-4364-9bf4-c3ab2ba390d1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8bab139-b9ad-4364-9bf4-c3ab2ba390d1} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5f1abcdb-a875-46c1-8345-b72a4567e486} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\bnetunin.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcDVmKB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Deluxe Bible Collection.lnk (Dialer) -> Quarantined and deleted successfully.

Downloaded the V2 of HJT and ran, worked fine

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:28 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\HJTV2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.whatth...emoval_f27.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.244.127:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {007D6D04-DFE7-44EC-8C0A-670F8B59A8E6} - C:\WINDOWS\system32\vtUnligg.dll
O2 - BHO: {3fcc89ae-b365-d9d8-6a44-be3dcb1e07a7} - {7a70e1bc-d3eb-44a6-8d9d-563bea98ccf3} - C:\WINDOWS\system32\sxxsxlqg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsout...oad/tgctlcm.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5447 bytes

Will anxiously await your reply. My most sincere regards, Catherine

#7 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 12 May 2008 - 02:32 PM

OK lots better but still not got everything. Looks like I missed something last time and you've been partially re-infected. Try to keep offline except for downloading tools or running scans until we get you clean.

Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.

File::
C:\WINDOWS\system32\tgpppvxv.dll
C:\WINDOWS\system32\glvqcgoy.exe
C:\WINDOWS\system32\sxxsxlqg.dll
C:\WINDOWS\system32\safkcuth.dll
C:\WINDOWS\system32\efcDVmKB.dll
C:\WINDOWS\system32\kjcvbqwp.exe
C:\WINDOWS\system32\dhmscclq.dll
C:\WINDOWS\system32\lyrrqmjp.dll
C:\WINDOWS\system32\lvudkpiv.dll
C:\WINDOWS\system32\vtUnligg.dll
C:\WINDOWS\system32\deauyeoh.dll
C:\WINDOWS\system32\tmsguigo.dll
C:\WINDOWS\system32\mqjejuac.err
C:\WINDOWS\system32\ymntjieu.exe
C:\WINDOWS\system32\vtUnligg.dll

Rootkit::
C:\WINDOWS\system32\ocobmdr.exe
C:\WINDOWS\system32\nrnvpu.exe
C:\WINDOWS\system32\sockins32.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{007D6D04-DFE7-44EC-8C0A-670F8B59A8E6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7a70e1bc-d3eb-44a6-8d9d-563bea98ccf3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8BAB139-B9AD-4364-9BF4-C3AB2BA390D1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KavSvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]

Click Format and ensure Wordwrap is unchecked.
Save as CFScript.txt to your Desktop.

Click Start > Run and type cleanmgr then click OK.
This will bring up the Disk Cleanup window.
Check the following entries.
- Temporary Internet Files.
- Recycle Bin.
- Temporary Files.
Click OK.
When a prompt pops up click Yes.

Then

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (If available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
In the Save as... prompt, select Desktop
In the File name box, name the file KAVScan
In the Save as type prompt, select Text file (see below)
Copy and paste that information in your next post please.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Finally

Run a new scan with HJT and post me the log please.

#8 CMROER

New Member

New Member
10 posts

Posted 12 May 2008 - 06:31 PM

Again, many, many thanks. Lots of infection it seems.

New Combofix with CFScript

ComboFix 08-05-09.1 - Owner 2008-05-12 16:47:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\deauyeoh.dll
C:\WINDOWS\system32\dhmscclq.dll
C:\WINDOWS\system32\efcDVmKB.dll
C:\WINDOWS\system32\glvqcgoy.exe
C:\WINDOWS\system32\kjcvbqwp.exe
C:\WINDOWS\system32\lvudkpiv.dll
C:\WINDOWS\system32\lyrrqmjp.dll
C:\WINDOWS\system32\mqjejuac.err
C:\WINDOWS\system32\safkcuth.dll
C:\WINDOWS\system32\sxxsxlqg.dll
C:\WINDOWS\system32\tgpppvxv.dll
C:\WINDOWS\system32\tmsguigo.dll
C:\WINDOWS\system32\vtUnligg.dll
C:\WINDOWS\system32\ymntjieu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\deauyeoh.dll
C:\WINDOWS\system32\dhmscclq.dll
C:\WINDOWS\system32\glvqcgoy.exe
C:\WINDOWS\system32\kjcvbqwp.exe
C:\WINDOWS\system32\lvudkpiv.dll
C:\WINDOWS\system32\lyrrqmjp.dll
C:\WINDOWS\system32\mqjejuac.err
C:\WINDOWS\system32\nrnvpu.exe
C:\WINDOWS\system32\ocobmdr.exe
C:\WINDOWS\system32\safkcuth.dll
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\sxxsxlqg.dll
C:\WINDOWS\system32\tgpppvxv.dll
C:\WINDOWS\system32\tmsguigo.dll
C:\WINDOWS\system32\vtUnligg.dll
C:\WINDOWS\system32\ymntjieu.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 14:02 . 2008-05-12 14:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-12 14:02 . 2008-05-12 14:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-12 14:02 . 2008-05-12 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 14:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 14:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-11 20:22 . 2008-05-12 14:23 <DIR> d-------- C:\HJTV2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 16:13 --------- d-----w C:\Program Files\Google
2008-04-23 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
.

((((((((((((((((((((((((((((( snapshot@2008-05-11_14.47.57.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-11 18:33:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 20:52:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-11 18:34:39 15,600 ----a-w C:\WINDOWS\system32\wacom.dat
+ 2008-05-12 20:53:51 15,600 ----a-w C:\WINDOWS\system32\wacom.dat
+ 2008-05-12 20:58:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_580.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [2002-03-19 18:30 45632]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05 45056]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11 69632]
"USSShReg"="C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe" [1997-11-23 04:16 20992]
"iamapp"="C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE" [2003-05-21 05:13 373976]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21 90112]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.NEWMAN^Start Menu^Programs^Startup^AutoPlay.exe]
path=C:\Documents and Settings\Administrator.NEWMAN\Start Menu\Programs\Startup\AutoPlay.exe
backup=C:\WINDOWS\pss\AutoPlay.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ipix.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipix.exe
backup=C:\WINDOWS\pss\ipix.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scanner Detector.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Scanner Detector.lnk
backup=C:\WINDOWS\pss\Scanner Detector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk
backup=C:\WINDOWS\pss\SmartUI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a--c--- 2002-09-10 22:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
--a------ 2002-06-08 04:20 86016 C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
--a------ 2002-06-08 04:18 122880 C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2002-07-16 11:03 106549 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
--a--c--- 2006-11-01 21:46 30928 C:\Program Files\GAMES\Kuma Games\hcsystray\hc_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-05-15 06:29 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2002-06-10 17:06 36864 C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
E:\CDSETUP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-07-28 15:19 4841472 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-07-28 15:19 852038 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2002-06-10 16:37 45108 C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-06-14 19:39 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-20 18:20 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2001-12-19 02:39 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]
C:\PROGRA~1\REGIST~1\regclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-05-09 11:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-13 14:26 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
--a------ 2002-02-28 15:57 20480 C:\WINDOWS\wt\updater\wcmdmgrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Quake III Arena\\quake3.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Kiplingers Home and Business Attorney\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 10:42]
R2 NISSERV;Symantec Client Firewall Service;C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE [2003-05-21 05:18]
R2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [1998-04-17 13:23]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-08-01 12:00]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 13:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 13:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 13:12]
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 13:12]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 13:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 13:12]
S3 PCDRDRV;Pcdr Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 14:53]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:04]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea]
C:\WINDOWS\system32\ocobmdr.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 20:58:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 16:53:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-12 17:04:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 21:04:34
ComboFix2.txt 2008-05-12 17:51:33
ComboFix3.txt 2008-05-11 18:49:12

Pre-Run: 82,108,727,296 bytes free
Post-Run: 82,121,109,504 bytes free

249 --- E O F --- 2008-05-09 13:47:16

I then ran cleanmgr as directed and went online and ran Kaspersky Scanner

Kaspersky Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 12, 2008 8:14:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/05/2008
Kaspersky Anti-Virus database records: 765113
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 154900
Number of viruses found: 22
Number of infected objects: 125
Number of suspicious objects: 0
Duration of the scan process: 02:08:45

Infected Object Name / Virus Name / Last Action
C:\cat personal folder.pst/cat folder/EBAY/13 Mar 2004 10:14 to annie429@bellsouth.net; aowen@bellsouth.net/eBay Account Investigation.htm Infected: Trojan-Spy.HTML.Bayfraud.g skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/15 May 2005 19:56 from eBay Member: cmroer:Question about paymen.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\cat personal folder.pst/cat folder/read/15 Oct 2003 13:34 from Roer, Catherine Ms (ESA DIGICON CONTR)/RevelationHelper.dll Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/15 Oct 2003 13:34 from Roer, Catherine Ms (ESA DIGICON CONTR)/Revelation.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst/cat folder/read/07 Aug 2003 14:24 from Roer, Catherine Ms (ESA DIGICON CONTR):Re/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\cat personal folder.pst MailMSMaill: infected - 52 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-06212007-174525.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04E00000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04E40000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05200000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BC40000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D3C0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D400000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E980000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E980001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E980002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E980003.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E980004.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ECC0000.VBN Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE40000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE40001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE80000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE80001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE80002.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE80003.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EE80004.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EEC0000.VBN Infected: not-a-virus:AdWare.Win32.BHO.awz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EEC0001.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EEC0002.VBN Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EF00000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F100000.VBN Infected: Trojan-Downloader.Win32.Qoologic.be skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F100001.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{11F17683-2D54-4057-A34F-08FE2F7F9834}\Microsoft\Outlook Express\Inbox.dbx/[From "eBay Member: cmroer" <member@ebay.com>][Date Sun, 15 May 2005 12:56:50 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{11F17683-2D54-4057-A34F-08FE2F7F9834}\Microsoft\Outlook Express\Inbox.dbx/[From "eBay Member: cmroer" <member@ebay.com>][Date Sun, 15 May 2005 12:56:50 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{11F17683-2D54-4057-A34F-08FE2F7F9834}\Microsoft\Outlook Express\Inbox.dbx MailMSOutlook5: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\EBAY.dbx/[From <support@eBay.com>][Date Sat, 13 Mar 2004 05:15:31 -0600]/eBay Infected: Trojan-Spy.HTML.Bayfraud.g skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\EBAY.dbx MailMSOutlook5: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\read.dbx/[From "Roer, Catherine Ms (ESA DIGICON CONTR)"][Date Thu, 7 Aug 2003 10:17:46 -0400 ]/UNNAMED/RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\read.dbx/[From "Roer, Catherine Ms (ESA DIGICON CONTR)"][Date Thu, 7 Aug 2003 10:17:46 -0400 ]/UNNAMED/RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\read.dbx/[From "Roer, Catherine Ms (ESA DIGICON CONTR)"][Date Thu, 7 Aug 2003 10:17:46 -0400 ]/UNNAMED/RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\read.dbx/[From "Roer, Catherine Ms (ESA DIGICON CONTR)"][Date Thu, 7 Aug 2003 10:17:46 -0400 ]/UNNAMED/RevelationV2.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\read.dbx/[From "Roer, Catherine Ms (ESA DIGICON CONTR)"][Date Thu, 7 Aug 2003 10:17:46 -0400 ]/UNNAMED/revelanch.zip/Revelanch.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\read.dbx/[From "Roer, Catherine Ms (ESA DIGICON CONTR)"][Date Thu, 7 Aug 2003 10:17:46 -0400 ]/UNNAMED/revelanch.zip Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\read.dbx/[From "Roer, Catherine Ms (ESA DIGICON CONTR)"][Date Thu, 7 Aug 2003 10:17:46 -0400 ]/UNNAMED Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{E006D5D9-0388-4C63-8AB2-368AD966CBD9}\Microsoft\Outlook Express\read.dbx MailMSOutlook5: infected - 7 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\pwdump.exe Infected: not-a-virus:PSWTool.Win32.PWDump.b skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iamadblk.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iamalert.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iamfw.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iamids.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iampriv.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iamsys.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iamtcp.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iamtdi.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\iamwebh.rel Object is locked skipped
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\nisum.dat Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\QooBox\Quarantine\C\Program Files\SMBOLS~1\ati2evxx.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\QooBox\Quarantine\C\WINDOWS\b2new.exe.vir Infected: Trojan-Downloader.Win32.Agent.otg skipped
C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP150\A0094821.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0095965.exe Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0095967.exe Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0096001.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0096002.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0096003.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0096003.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0096003.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0096004.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP152\A0096004.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP155\A0096149.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP155\A0096150.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP155\A0096150.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP155\A0096151.exe Infected: Trojan-Downloader.Win32.Agent.otg skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP156\change.log Object is locked skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP28\A0030553.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.i skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP28\A0030553.exe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe Infected: not-a-virus:AdWare.Win32.Sahat.j skipped
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe Infected: not-a-virus:AdWare.Win32.Sahat.j skipped
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll Infected: not-a-virus:AdWare.Win32.Sahat.c skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_580.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP156\change.log Object is locked skipped

Scan process completed.

Finally ran HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:45 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJTV2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.whatth...emoval_f27.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.244.127:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsout...oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5386 bytes

Thank you Gary for all your time and effort. Best Regards, Catherine

#9 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 13 May 2008 - 03:48 AM

Hi Catherine,

Looking much better now.

The Kaspersky log is not quite so bad as it may seem. A lot of the "infections" found are the encrypted backups made by Norton and the tools Combofix, also your System Restore points are infected, they can't re-infect you unless you do a restore, and we will remove them before we finish to ensure that possibility is removed.

For the moment I'd like to leave them alone. I don't like to remove SR points till right at the end, just in case anything goes wrong (not that I'm expecting it to), better an infected restore point than no restore point.

OK, there's a few files from the Kaspersky log that need attending to.

Download OTMoveIt2 by Old Timer and save it to your Desktop.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

C:\Documents and Settings\Owner\My Documents\pwdump.exe
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt2

There's also a file keeps re-appearing in your Combofix log that I can't find any reliable information on, so I'd like to have it scanned to see if it's malicious or not. It may be a random named file generated by a legit process on your computer, but I'd like to make sure.

Go to VirusTotal or Jotti's

C:\WINDOWS\system32\ocobmdr.exe

Copy/Paste the file in the quote box above into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.
Post me the details please.

#10 CMROER

New Member

New Member
10 posts

Posted 13 May 2008 - 08:41 AM

Good Morning Gary

Thanks for the sigh of relief on this end. I knew something was wrong with the System Restore only because I usually do one once a month and all of them were wiped out. When I first started having trouble with the viruses and Windows Defender didn't get rid of them I went to SR and nothing was there expect for May 10, and that was when they hit me, so I knew not to restore. Here are the results of my latest from your instructions.

OTMoveIt

C:\Documents and Settings\Owner\My Documents\pwdump.exe moved successfully.
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe moved successfully.
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe moved successfully.
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll unregistered successfully.
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05132008_101722

Virus Total

0 bytes size received / Se ha recibido un archivo vacio

JottiScan

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I double checked my firewalls and they are down, have Symantec and Windows. Both are disabled as far as I can tell, both have red x's over them and they say disabled?? My virus program, Symantec Corporate Edition is also disabled. Is there anything else I can do?

Thanks Again,
Catherine

Advertisements

Register to Remove

#11 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 13 May 2008 - 09:29 AM

OK, before we go pulling out the heavy duty removal tools, let's make sure the file is actually there, and if it is whether there's any information on it.

Make sure that you can see hidden files and folders.

Click Start.
Click My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Uncheck Hide protected operating system files a pop up will appear, answer Yes
Click OK.

Now navigate to

C:\WINDOWS\system32\ocobmdr.exe

and make sure there's a file there. If not, let me know.

If there is:-

Right click on ocobmdr.exe and select Properties.
Click on the General tab.
- Note down the size, date created, date modified.
Click on the Version tab.
- Note down the Description, Company, and any other details available.
Post them back here please.

#12 CMROER

New Member

New Member
10 posts

Posted 13 May 2008 - 09:45 AM

Hi, Thanks Gary. Didn't expect a reply so fast!! I came back to post I had performed a search (hidden files shown) and ocobmdr.exe was not found. Went to C:\WINDOWS\system32\ocobmdr.exe to look for myself and it is not there....Please tell me that is a good thing!! Thanks Catherine

#13 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 13 May 2008 - 03:53 PM

It means that all that's left is an orphaned registry entry that's probably being renewed by one of your security programmes.

Just to make sure, lets remove it again, this time using OTMoveIt.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

C:\WINDOWS\system32\ocobmdr.exe
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt2

How's your computer running now ?

Edited by Gary R, 13 May 2008 - 03:55 PM.

#14 CMROER

New Member

New Member
10 posts

Posted 13 May 2008 - 04:33 PM

Hi Gary, Computer is running like new, THANK YOU. Haven't been on the net though except to check in here or to download what was requested. Have my Symantec back up and firewall, is that okay or should I leave them down until we are finished?

OTMoveIt Scan

File/Folder C:\WINDOWS\system32\ocobmdr.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\769f71f7-ca67-420e-a918-817a5baad1ea\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05132008_182527

#15 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 14 May 2008 - 12:14 AM

Hi Catherine,

If your Firewall and AV are switched off, please switch them back on immediately, even a short time online without them will get you re-infected. I tried an experiment not long back, and it only took me 10 mins online with an unprotected computer before I got infected.

OK, looks like we've got everything, time for a little housekeeping.

Let's clear out Combofix and the files/folders it created

Click Start > Run
Copy/Paste ComboFix /u into the Run box.
Click OK
The following items will now be processed.
- Deletes the following files/folders:
- ComboFix.exe
- %system%\swxcacls.exe
- %system%\swsc.exe
- %system%\VFind.exe
- %system%\moveex.exe
- %system%\swreg.exe
- %systemroot%\catchme.exe
- \ComboFix
- \Qoobox
- \VundoFix Backups
- \Deckard
- \_OTMoveIt
- %systemroot%\erdnt\subs
Resets the clock settings.
Hides file extensions
Hides System/Hidden files
Clears System Restore cache and create new Restore point (this will purge the infected System Restore Points I mentioned earlier).

IMPORTANT

Do not use your computer while Combofix is running.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately. Besides they're updated regularly so won't be of any use against future infections

Double click OTMoveIt2.exe to launch the programme.
Click on the CleanUp! button.
OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
You will be prompted to allow the clean up procedure, click Yes
When finished exit out of OTMoveIt
Now delete OTMoveIt2.exe (if still present).

Malwarebytes' Anti-Malware is Freeware, so you can keep it if you wish, or Uninstall it using Control Panel > Add/Remove Programs

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?

If you are let me know about them.
If not it's time to make your computer more secure.

Below are a series of recommendations which will help you keep more secure online.

Obviously you have already taken care of some of the issues mentioned, but it is important that you read through them, and address any that you may have missed.

Update your Java (if you use it).
Older versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components. This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.

Close any programmes you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Download the latest version of Java Runtime Environment (JRE) 6u6, and install it to your computer.

Updating Windows and Internet Explorer
It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site and get the critical updates.

Use a "secure" browser
Install Internet Explorer 7 or an alternative browser like Firefox or Opera for more secure surfing.
Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected.

The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.

Spybot S & D
Spybot is a scanner. It scans for spyware and other malicious programs. It is important to have at least one malware scanner on your computer. Spybot has preventitive tools that stop programs from even installing on your computer (Teatimer, though personally I never use it).
To see how to set this up as well as more spybot features, see here
WinPatrol by BillPStudios is a programme that monitors your computer and notifies you if there are any unauthorised changes made to it. It gives you the option to allow or forbid the changes, thus guarding you against Malware installations. I consider this one a must have.

If you find you like it, you can get a lifetime upgrade to the Plus version for a small one time fee.
SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here
IE Spyad
It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
Hosts file:
Make sure you read the instructions on how to install the hosts file, here.
- Every version of windows has a hosts file as part of them.
- In a very basic sense, they are used to locate webpages.
- We can customize a hosts file so that it blocks certain webpages.
- However, it can slow down certain computers.
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
- Click the start button (at the lower left hand corner of your screen)
- Click run
- In the dialog box, type services.msc
- hit enter, then locate dns client
- Highlight it, then double-click it.
- On the dropdown box, change the setting from automatic to manual.
- Click ok

Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Computer Safety On line - LIST of free Anti virus programs
Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
See here to choose one.
Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site.

Here's links to a few articles which are well worth reading

Finally

NOW is the time you can start to hit back at the people who infected you.

Please take the time to go and complain - that forum has a topic for your infections which were Vundo and Purity Scan............ (if not, post in the Is your infection not listed here? topic). Please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to government or government agencies that something will get done.

Body Background

skin color theme

[Resolved] CAN U HELP PLEASE

#1 CMROER

Advertisements

Register to Remove

#2 Gary R

#3 CMROER

#4 CMROER

#5 Gary R

#6 CMROER

#7 Gary R

#8 CMROER

#9 Gary R

#10 CMROER

Advertisements

Register to Remove

#11 Gary R

#12 CMROER

#13 Gary R

#14 CMROER

#15 Gary R

Related Topics

0 user(s) are reading this topic

About What the Tech

Follow Us

Body Background

skin color theme

[Resolved] CAN U HELP PLEASE

#1 CMROER

Advertisements Register to Remove

#2 Gary R

#3 CMROER

#4 CMROER

#5 Gary R

#6 CMROER

#7 Gary R

#8 CMROER

#9 Gary R

#10 CMROER

Advertisements Register to Remove

#11 Gary R

#12 CMROER

#13 Gary R

#14 CMROER

#15 Gary R

Related Topics

0 user(s) are reading this topic

About What the Tech

Follow Us

Sign In

Advertisements

Register to Remove

Advertisements

Register to Remove