Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Got infected by malware/spyware.


  • This topic is locked This topic is locked
12 replies to this topic

#1 kaser

kaser

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 26 May 2008 - 08:07 AM

Hi, I got infected by a virtual ton of spyware the other day. I ran Ad-Aware and Spybot Search and Destroy (both updated). Got rid of quite a few of the malware and neither program now lists any critical objects found. However the resident protector on Spybot keeps popping up (at times once per second for a brief (1 min'ish) period of time) alerting me of attempted changes to the registry files. One entry in particular keeps popping up, saying it's a System Startup Global entry (I checked the "Remember this decision" box, before Denying the change) The format of the prompt was : Category: System Startup Global Entry Change: Value added Entry: BM4f7e84f2 (Differs from the rest since M isn't a hex number) new data: rundll32.exe "C\Windows\system32\glgoqovx.dll", s Most the other SB popups I get have this format: Category: Browser Helper Object Change: Value added Entry: {some hexadecimal address} (new data field is blank) Firefox stopped working at some point, so I opened IE (6.0) and I kept getting warnings about errors reading scripts on a web page that I wasn't trying to open. Now that FF is back running that webpage is opened in a new window (commercials from adnetserver.com). Among the malware I got was (sorry, didn't write em down, cant remember them all) TrojanDownloader.XS, WebHancer, coolWWWsearch, yayabskk, and *something*10.dll I usually run Spybot every other day, and very rarely have any hits, but when my problems started Spybot found 49 entries, 5 of witch were from webHancer (the webHancer files were not fixed at once, but after 2 reboots where spybot ran as part of the startup process it said the files were sucessfully removed.) Here's my HJT log if anyone is willing to take a look :) Logfile of HijackThis v1.99.1 Scan saved at 3:41:49 PM, on 5/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Maxtor\Sync\SyncServices.exe C:\WINDOWS\winself.exe C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\All Users\Application Data\bqtsncra\tkhqzsde.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN c:\windows\system32\jrwnw64j.exe C:\WINDOWS\system32\lcntskdm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O1 - Hosts: 66.98.148.65 auto.search.msn.com O1 - Hosts: 66.98.148.65 auto.search.msn.es O2 - BHO: (no name) - {0CC7B9ED-9566-C5BC-89DD-02791AA1A9AC} - C:\Documents and Settings\All Users\Application Data\MntDscMon\HlpGenAdm.dll O2 - BHO: (no name) - {3E318ED4-977B-2C72-D4A5-07D2DCD34B0E} - C:\Documents and Settings\All Users\Application Data\cfgaplapp\admwebsmart.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {78C77C2B-15C3-4CA9-8F38-6C5F86BC4494} - C:\WINDOWS\system32\yayaWOFW.dll (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: (no name) - {C108AE59-C97F-4517-8B74-5590BE3C2A82} - C:\WINDOWS\system32\yayaBSkk.dll O2 - BHO: (no name) - {E2D4D2D4-3832-4688-AC50-94A0C2562B0F} - C:\WINDOWS\system32\urqQhffE.dll (file missing) O2 - BHO: (no name) - {FAC7780D-A171-4295-A32C-BD585460F860} - C:\WINDOWS\system32\geBsrpmM.dll (file missing) O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntskdm.exe O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jrwnw64j.exe O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: yayaBSkk - C:\WINDOWS\SYSTEM32\yayaBSkk.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    Advertisements

Register to Remove


#2 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 26 May 2008 - 06:38 PM

Hello

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 kaser

kaser

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 27 May 2008 - 01:02 AM

Thank you for taking the time to look into this :)

Here's the logs you requested:

ComboFix log:


ComboFix 08-05-25.5 - Administrator 2008-05-27 3:13:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BM4f7e84f2.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\explore.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
C:\WINDOWS\system32\AGgMVyay.ini
C:\WINDOWS\system32\AGgMVyay.ini2
C:\WINDOWS\system32\aueflvjb.ini
C:\WINDOWS\system32\bhpsaodm.ini
C:\WINDOWS\system32\bmprltdm.ini
C:\WINDOWS\system32\bmprltdm.ini2
C:\WINDOWS\system32\bmprltdm.tmp
C:\WINDOWS\system32\cpewhiaf.exe
C:\WINDOWS\system32\cqhmgwpp.exe
C:\WINDOWS\system32\cxcqcgma.exe
C:\WINDOWS\system32\djveywoj.ini
C:\WINDOWS\system32\EffhQqru.ini
C:\WINDOWS\system32\EffhQqru.ini2
C:\WINDOWS\system32\ELTvwGgh.ini
C:\WINDOWS\system32\ELTvwGgh.ini2
C:\WINDOWS\system32\ewjlinhn.ini
C:\WINDOWS\system32\ggpffioe.exe
C:\WINDOWS\system32\kgkwvtdw.ini
C:\WINDOWS\system32\kvjnudqa.ini
C:\WINDOWS\system32\lgwmvksm.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MmprsBeg.ini
C:\WINDOWS\system32\MmprsBeg.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\oiylsdsx.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\shnetsud.ini
C:\WINDOWS\system32\shnetsud.ini2
C:\WINDOWS\system32\shnetsud.tmp
C:\WINDOWS\system32\WFOWayay.ini
C:\WINDOWS\system32\WFOWayay.ini2
C:\WINDOWS\system32\XaaHgfii.ini
C:\WINDOWS\system32\XaaHgfii.ini2
C:\WINDOWS\system32\yayaBSkk.dll
C:\WINDOWS\system32\yayVMgGA.dll
C:\WINDOWS\system32\ytuoyoug.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\winself.exe
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://patch.everquest.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 03:07 . 2008-05-27 03:07 116,736 --a------ C:\WINDOWS\system32\guoyouty.dll
2008-05-27 03:06 . 2008-05-27 03:06 124,928 --a------ C:\WINDOWS\system32\cbnwvvgs.dll
2008-05-27 02:23 . 2008-05-27 02:23 124,928 --a------ C:\WINDOWS\system32\vcbakkvp.dll
2008-05-27 02:20 . 2008-05-27 02:20 95,833 --a------ C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll-uninst.exe
2008-05-27 02:19 . 2008-05-27 02:19 49,184 --a------ C:\WINDOWS\system32\jrwnw64s.exe
2008-05-26 22:14 . 2008-05-26 22:14 401,964 --a------ C:\WINDOWS\system32\g40.exe
2008-05-26 22:14 . 2008-05-26 22:14 63,902 --a------ C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
2008-05-26 22:13 . 2008-05-26 22:13 134,144 --a------ C:\WINDOWS\system32\gvevucsh.dll
2008-05-26 22:04 . 2008-05-26 22:04 <DIR> d-------- C:\Program Files\kiykole
2008-05-26 22:04 . 2008-05-26 22:04 124,928 --a------ C:\WINDOWS\system32\glqubhcp.dll
2008-05-26 22:03 . 2008-05-26 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinSmart
2008-05-26 22:03 . 2008-05-26 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\cmdadmapi
2008-05-26 22:03 . 2008-05-26 22:03 110,592 --a------ C:\WINDOWS\system32\ydmhkpkr.exe
2008-05-26 17:33 . 2008-05-26 17:33 134,144 --a------ C:\WINDOWS\system32\ottltqml.dll
2008-05-26 17:33 . 2008-05-26 17:33 124,928 --a------ C:\WINDOWS\system32\akqlajbm.dll
2008-05-26 17:33 . 2008-05-26 17:33 116,736 --a------ C:\WINDOWS\system32\mdtlrpmb.dll
2008-05-26 15:52 . 2008-05-26 15:52 116,736 --a------ C:\WINDOWS\system32\wdtvwkgk.dll
2008-05-26 15:49 . 2008-05-26 15:49 134,144 --a------ C:\WINDOWS\system32\ghjjhufg.dll
2008-05-26 15:44 . 2008-05-26 15:44 124,928 --a------ C:\WINDOWS\system32\glgoqovx.dll
2008-05-26 15:40 . 2008-05-26 15:40 49,171 --a------ C:\WINDOWS\system32\jrwnw64j.exe
2008-05-26 15:01 . 2008-05-26 15:41 <DIR> d-------- C:\Hijackthis
2008-05-26 14:26 . 2008-05-26 14:26 134,144 --a------ C:\WINDOWS\system32\btbqsygx.dll
2008-05-26 14:23 . 2008-05-26 14:23 124,928 --a------ C:\WINDOWS\system32\kpwgdsbu.dll
2008-05-26 14:22 . 2008-05-26 14:22 <DIR> d-------- C:\Program Files\qruekwd
2008-05-26 14:21 . 2008-05-26 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\UiStr
2008-05-26 14:21 . 2008-05-26 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MntDscMon
2008-05-26 14:21 . 2008-05-26 14:21 98,304 --a------ C:\WINDOWS\system32\arwryhal.exe
2008-05-26 13:05 . 2008-05-26 13:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-26 11:33 . 2008-05-26 11:33 134,144 --a------ C:\WINDOWS\system32\cqrfqxmx.dll
2008-05-26 11:33 . 2008-05-26 11:33 115,712 --------- C:\WINDOWS\system32\aqdunjvk.dll
2008-05-26 11:30 . 2008-05-26 11:30 124,928 --a------ C:\WINDOWS\system32\vuoiccpe.dll
2008-05-26 00:06 . 2008-05-26 00:06 115,712 --------- C:\WINDOWS\system32\bjvlfeua.dll
2008-05-26 00:05 . 2008-05-26 00:05 <DIR> d-------- C:\Program Files\uqyfkdd
2008-05-26 00:05 . 2008-05-26 00:05 200,771 --a------ C:\WINDOWS\system32\lcntskdm.exe
2008-05-26 00:04 . 2008-05-26 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\cmdweb
2008-05-26 00:04 . 2008-05-26 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\cfgaplapp
2008-05-26 00:04 . 2008-05-26 00:04 98,304 --a------ C:\WINDOWS\system32\kvgtwpaf.exe
2008-05-25 23:11 . 2008-05-25 23:11 18,688 --a------ C:\WINDOWS\cpan.dll
2008-05-25 23:10 . 2008-05-26 22:02 748 --a------ C:\WINDOWS\wininit.ini
2008-05-25 22:01 . 2008-05-25 22:01 115,712 --a------ C:\WINDOWS\system32\dustenhs.dll
2008-05-25 21:57 . 2008-05-25 21:57 <DIR> d-------- C:\Program Files\pgtpflf
2008-05-25 21:57 . 2008-05-25 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinDbAct
2008-05-25 21:57 . 2008-05-25 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GenDsc
2008-05-25 21:57 . 2008-05-25 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\bqtsncra
2008-05-25 21:57 . 2008-05-25 21:57 298,315 --a------ C:\WINDOWS\system32\gside.exe
2008-05-25 21:57 . 2008-05-25 21:57 200,775 --a------ C:\WINDOWS\system32\kcntskdm.exe
2008-05-25 21:57 . 2008-05-25 21:57 94,208 --a------ C:\WINDOWS\system32\nivapmzq.exe
2008-05-25 21:57 . 2008-05-27 02:20 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-25 21:57 . 2008-05-26 22:05 859 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-25 21:56 . 2008-05-26 17:24 <DIR> d-------- C:\WINDOWS\system32\xnA
2008-05-25 21:56 . 2008-05-25 21:56 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-25 21:56 . 2008-05-25 21:56 <DIR> d-------- C:\WINDOWS\system32\3056v
2008-05-25 21:56 . 2008-05-25 21:56 <DIR> d-------- C:\Temp\vtmp2
2008-05-25 21:55 . 2008-05-25 21:55 87,513 --a------ C:\WINDOWS\system32\vbpdtvdp.exe
2008-05-25 21:55 . 2008-05-25 21:55 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-25 18:57 . 2008-05-25 18:57 68,096 --a------ C:\WINDOWS\ScUnin.exe
2008-05-25 18:57 . 2008-05-25 18:57 12,423 --a------ C:\WINDOWS\scunin.dat
2008-05-25 18:57 . 2008-05-25 18:57 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-23 03:57 . 2008-05-23 03:57 <DIR> d-------- C:\New Folder
2008-05-22 07:38 . 2008-05-26 14:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-22 07:38 . 2008-05-22 07:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-20 23:05 . 2008-05-20 23:05 32,768 --a------ C:\WINDOWS\system32\vntiho06\vntiho061083.exe
2008-05-19 15:55 . 2008-05-19 15:55 439,808 --a------ C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll
2008-05-03 04:41 . 2008-05-03 04:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-30 21:41 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\Macromedia
2008-04-30 21:41 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 00:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-05-26 09:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-25 19:54 --------- d-----w C:\Program Files\mIRC
2008-05-23 02:17 --------- d-----w C:\Program Files\divprog
2008-05-21 23:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-05 09:51 --------- d-----w C:\Program Files\Lx_cats
2008-04-28 03:41 --------- d-----w C:\Program Files\tempto
2008-04-23 18:24 --------- d-----w C:\Program Files\WinPcap
2008-04-23 18:04 --------- d-----w C:\Program Files\Wireshark
2008-04-21 13:54 --------- d-----w C:\Program Files\Dreamweaver
2008-04-10 07:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-04-08 08:56 --------- d-----w C:\Program Files\Azureus
2008-04-03 12:00 --------- d-----w C:\Program Files\Opera
2008-03-30 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-30 13:52 --------- d-----w C:\Program Files\ABC
2008-02-17 23:21 795,278,976 ----a-w C:\Program Files\ADBEILSTCS3_WWE.exe
2007-12-25 16:59 67,196,968 ----a-w C:\Program Files\directx_nov2007_redist.exe
2007-12-13 07:54 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\inst.exe
2007-12-13 07:54 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2007-10-21 15:33 80,689,382 ----a-w C:\Program Files\sqldeveloper-1.2.1.3213.zip
2006-10-25 23:28 7,168 ----a-w C:\Documents and Settings\Administrator\queue.dat
2006-10-25 23:28 1,683,456 ----a-w C:\Documents and Settings\Administrator\FahCore_82.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00CB1904-7E9B-4383-8713-C7BC60C9DF43}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CC7B9ED-9566-C5BC-89DD-02791AA1A9AC}]
2008-05-26 14:21 55808 --a------ C:\Documents and Settings\All Users\Application Data\MntDscMon\HlpGenAdm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13B347C7-91FF-3A76-1890-039EB2444A9D}]
2008-05-27 03:24 61952 --a------ C:\Documents and Settings\All Users\Application Data\dbmsgweb\ChkStr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F32AAD1-D096-6CA3-52AA-0193A6D98D71}]
2008-05-26 22:03 58880 --a------ C:\Documents and Settings\All Users\Application Data\cmdadmapi\genapl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E318ED4-977B-2C72-D4A5-07D2DCD34B0E}]
2008-05-26 00:04 58880 --a------ C:\Documents and Settings\All Users\Application Data\cfgaplapp\admwebsmart.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C77C2B-15C3-4CA9-8F38-6C5F86BC4494}]
C:\WINDOWS\system32\yayaWOFW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8035E5E3-D85D-478D-BCBC-F50016A5F306}]
C:\WINDOWS\system32\iifgHaaX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cf916a3-c051-3e6e-0649-ecf81bd1bfbb}]
2008-05-05 18:24 330752 --a------ C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C108AE59-C97F-4517-8B74-5590BE3C2A82}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA591AA0-076D-478F-AD11-AABFDDD2D1BA}]
C:\WINDOWS\system32\hgGwvTLE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2D4D2D4-3832-4688-AC50-94A0C2562B0F}]
C:\WINDOWS\system32\urqQhffE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAC7780D-A171-4295-A32C-BD585460F860}]
C:\WINDOWS\system32\geBsrpmM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 09:52 98304]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"dasuykoh"="C:\WINDOWS\system32\odarazwz.exe" [2008-05-27 03:24 114688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 19:47 73728]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29 237568]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 15:53 169264]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]
"4c4db76e"="C:\WINDOWS\system32\guoyouty.dll" [2008-05-27 03:07 116736]
"BM4f7e84f2"="C:\WINDOWS\system32\cbnwvvgs.dll" [2008-05-27 03:06 124928]
"{DB-B7-7C-C1-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-05-27 03:22 49198]
"{87771a2b-8c63-a790-5ccf-6a8ad4b667d1}"="C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll" [2008-05-05 18:24 330752]
"ExploreUpdSched"="C:\WINDOWS\system32\kcntskdm.exe" [2008-05-25 21:57 200775]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 21:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-03 21:56 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 19:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Deewoo.lnk - C:\WINDOWS\system32\kcntskdm.exe [2008-05-25 21:57:17 200775]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-05-27 03:22:49 49198]
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-06-27 23:58:04 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"56DRZ4PM8l"= C:\Documents and Settings\All Users\Application Data\bqtsncra\tkhqzsde.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hlpmonsrv"= {5C53DB1F-30FF-2885-E7E3-04BB4DC29854} - C:\Program Files\fmxvyef\hlpmonsrv.dll [2008-05-27 03:24 122880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18772:TCP"= 18772:TCP:BitComet 18772 TCP
"18772:UDP"= 18772:UDP:BitComet 18772 UDP
"51123:TCP"= 51123:TCP:*:Disabled:abc
"51124:TCP"= 51124:TCP:*:Disabled:ab124
"51125:TCP"= 51125:TCP:*:Disabled:ab125
"51126:TCP"= 51126:TCP:*:Disabled:ab126

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 12:22]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 13:24]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 22:22]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [2003-06-02 22:28]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 17:49]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 03:20:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\msnav32.ax 36 bytes
C:\WINDOWS\system32\rwwnw64d.exe 49198 bytes executable
C:\WINDOWS\system32\g11.exe 401974 bytes executable
C:\WINDOWS\system32\lcntqkdm.exe 200767 bytes executable
C:\WINDOWS\system32\ytuoyoug.ini 294 bytes
C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\guoyouty.dll
-> C:\WINDOWS\system32\cbnwvvgs.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-27 3:29:15 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-27 01:29:06

Pre-Run: 2,229,784,576 bytes free
Post-Run: 2,163,347,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

317



HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:45:23 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Documents and Settings\All Users\Application Data\bqtsncra\tkhqzsde.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\kcntskdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\odarazwz.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0CC7B9ED-9566-C5BC-89DD-02791AA1A9AC} - C:\Documents and Settings\All Users\Application Data\MntDscMon\HlpGenAdm.dll
O2 - BHO: (no name) - {13B347C7-91FF-3A76-1890-039EB2444A9D} - C:\Documents and Settings\All Users\Application Data\dbmsgweb\ChkStr.dll
O2 - BHO: (no name) - {1F32AAD1-D096-6CA3-52AA-0193A6D98D71} - C:\Documents and Settings\All Users\Application Data\cmdadmapi\genapl.dll
O2 - BHO: (no name) - {3E318ED4-977B-2C72-D4A5-07D2DCD34B0E} - C:\Documents and Settings\All Users\Application Data\cfgaplapp\admwebsmart.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {78C77C2B-15C3-4CA9-8F38-6C5F86BC4494} - C:\WINDOWS\system32\yayaWOFW.dll (file missing)
O2 - BHO: (no name) - {8035E5E3-D85D-478D-BCBC-F50016A5F306} - C:\WINDOWS\system32\iifgHaaX.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: gooochi browser optimizer - {9cf916a3-c051-3e6e-0649-ecf81bd1bfbb} - C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {DA591AA0-076D-478F-AD11-AABFDDD2D1BA} - C:\WINDOWS\system32\hgGwvTLE.dll (file missing)
O2 - BHO: (no name) - {E2D4D2D4-3832-4688-AC50-94A0C2562B0F} - C:\WINDOWS\system32\urqQhffE.dll (file missing)
O2 - BHO: (no name) - {FAC7780D-A171-4295-A32C-BD585460F860} - C:\WINDOWS\system32\geBsrpmM.dll (file missing)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [BM4f7e84f2] Rundll32.exe "C:\WINDOWS\system32\cbnwvvgs.dll",s
O4 - HKLM\..\Run: [{DB-B7-7C-C1-DW}] c:\windows\system32\rwwnw64d.exe DWramFF
O4 - HKLM\..\Run: [{87771a2b-8c63-a790-5ccf-6a8ad4b667d1}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll" DllInit
O4 - HKLM\..\Run: [4c4db76e] rundll32.exe "C:\WINDOWS\system32\guoyouty.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntskdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: hlpmonsrv - {5C53DB1F-30FF-2885-E7E3-04BB4DC29854} - C:\Program Files\fmxvyef\hlpmonsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 27, 2008 8:37:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/05/2008
Kaspersky Anti-Virus database records: 801145
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 149372
Number of viruses found: 14
Number of infected objects: 35
Number of suspicious objects: 27
Duration of the scan process: 04:12:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\B23E4567d01.bac_a03632 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\keyfinder.exe.bac_a03632/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\keyfinder.exe.bac_a03632/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\keyfinder.exe.bac_a03632/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\keyfinder.exe.bac_a03632 RarSFX: infected - 3 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\keyfinder.exe.bac_a03632 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_430.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_750.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_7d0.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_9e4.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_edc.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit.zip/mssys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC20.zip/window.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC20.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip/systemcritical.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip/clrssn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC23.zip/systeem.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC23.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC26.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC26.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC28.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC28.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/window.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/clrssn.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/systeem.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\eirik.err Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ibdata1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile0 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile1 Object is locked skipped
C:\Program Files\tempto\nye torrentsl\mirc62.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Program Files\tempto\nye torrentsl\mirc62.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Program Files\tempto\nye torrentsl\mirc62.exe NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.coh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\3056v\tgvram102.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\WINDOWS\system32\aqdunjvk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsk skipped
C:\WINDOWS\system32\arwryhal.exe Suspicious: Type_Win32 skipped
C:\WINDOWS\system32\bjvlfeua.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsk skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dustenhs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsk skipped
C:\WINDOWS\system32\g11.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g11.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g11.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\g40.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g40.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\system32\g40.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jrwnw64j.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\WINDOWS\system32\jrwnw64s.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\WINDOWS\system32\kcntskdm.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\WINDOWS\system32\kvgtwpaf.exe Suspicious: Type_Win32 skipped
C:\WINDOWS\system32\lcntqkdm.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\WINDOWS\system32\lcntskdm.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\WINDOWS\system32\nivapmzq.exe Suspicious: Type_Win32 skipped
C:\WINDOWS\system32\odarazwz.exe Suspicious: Type_Win32 skipped
C:\WINDOWS\system32\rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\WINDOWS\system32\vbpdtvdp.exe Infected: not-virus:Hoax.Win32.Renos.coh skipped
C:\WINDOWS\system32\vntiho06\vntiho061083.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ydmhkpkr.exe Suspicious: Type_Win32 skipped
C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\WINDOWS\vgraph.dll Infected: not-a-virus:AdWare.Win32.Webdir.c skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#4 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 27 May 2008 - 06:25 AM

A lot of malware on this PC

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\guoyouty.dll
C:\WINDOWS\system32\cbnwvvgs.dll
C:\WINDOWS\system32\vcbakkvp.dll
C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll-uninst.exe
C:\WINDOWS\system32\jrwnw64s.exe
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
C:\WINDOWS\system32\gvevucsh.dll
C:\WINDOWS\system32\glqubhcp.dll
C:\WINDOWS\system32\ydmhkpkr.exe
C:\WINDOWS\system32\ottltqml.dll
C:\WINDOWS\system32\akqlajbm.dll
C:\WINDOWS\system32\mdtlrpmb.dll
C:\WINDOWS\system32\wdtvwkgk.dll
C:\WINDOWS\system32\ghjjhufg.dll
C:\WINDOWS\system32\glgoqovx.dll
C:\WINDOWS\system32\jrwnw64j.exe
C:\WINDOWS\system32\btbqsygx.dll
C:\WINDOWS\system32\kpwgdsbu.dll
C:\WINDOWS\system32\arwryhal.exe
C:\WINDOWS\system32\cqrfqxmx.dll
C:\WINDOWS\system32\aqdunjvk.dll
C:\WINDOWS\system32\vuoiccpe.dll
C:\WINDOWS\system32\bjvlfeua.dll
C:\WINDOWS\system32\lcntskdm.exe
C:\WINDOWS\system32\kvgtwpaf.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\system32\dustenhs.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\kcntskdm.exe
C:\WINDOWS\system32\nivapmzq.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\vntiho06\vntiho061083.exe
C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\WINDOWS\system32\aqdunjvk.dll
C:\WINDOWS\system32\arwryhal.exe
C:\WINDOWS\system32\bjvlfeua.dll
C:\WINDOWS\system32\dustenhs.dll
C:\WINDOWS\system32\g11.exe
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\jrwnw64j.exe
C:\WINDOWS\system32\jrwnw64s.exe
C:\WINDOWS\system32\kcntskdm.exe
C:\WINDOWS\system32\kvgtwpaf.exe
C:\WINDOWS\system32\lcntqkdm.exe
C:\WINDOWS\system32\lcntskdm.exe
C:\WINDOWS\system32\nivapmzq.exe
C:\WINDOWS\system32\odarazwz.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\system32\ydmhkpkr.exe
C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
C:\WINDOWS\vgraph.dll

Folder::
C:\Program Files\kiykole
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\3056v
C:\WINDOWS\system32\xnA
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\3056v
C:\Temp\vtmp2
C:\Program Files\pgtpflf
C:\Documents and Settings\All Users\Application Data\WinDbAct
C:\Documents and Settings\All Users\Application Data\GenDsc
C:\Documents and Settings\All Users\Application Data\bqtsncra
C:\Documents and Settings\All Users\Application Data\cmdweb
C:\Documents and Settings\All Users\Application Data\cfgaplapp
C:\Program Files\uqyfkdd
C:\Program Files\qruekwd
C:\Documents and Settings\All Users\Application Data\UiStr
C:\Documents and Settings\All Users\Application Data\MntDscMon
C:\Documents and Settings\All Users\Application Data\WinSmart
C:\Documents and Settings\All Users\Application Data\cmdadmapi

Rootkit::
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\g11.exe
C:\WINDOWS\system32\lcntqkdm.exe
C:\WINDOWS\system32\ytuoyoug.ini
C:\WINDOWS\system32\zxdnt3d.cfg

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#5 kaser

kaser

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 28 May 2008 - 07:24 AM

New ComboFix log:

ComboFix 08-05-25.5 - Administrator 2008-05-28 15:06:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.707 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\WINDOWS\cpan.dll
C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll
C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll-uninst.exe
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
C:\WINDOWS\system32\akqlajbm.dll
C:\WINDOWS\system32\aqdunjvk.dll
C:\WINDOWS\system32\arwryhal.exe
C:\WINDOWS\system32\bjvlfeua.dll
C:\WINDOWS\system32\btbqsygx.dll
C:\WINDOWS\system32\cbnwvvgs.dll
C:\WINDOWS\system32\cqrfqxmx.dll
C:\WINDOWS\system32\dustenhs.dll
C:\WINDOWS\system32\g11.exe
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\ghjjhufg.dll
C:\WINDOWS\system32\glgoqovx.dll
C:\WINDOWS\system32\glqubhcp.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\guoyouty.dll
C:\WINDOWS\system32\gvevucsh.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\jrwnw64j.exe
C:\WINDOWS\system32\jrwnw64s.exe
C:\WINDOWS\system32\kcntskdm.exe
C:\WINDOWS\system32\kpwgdsbu.dll
C:\WINDOWS\system32\kvgtwpaf.exe
C:\WINDOWS\system32\lcntqkdm.exe
C:\WINDOWS\system32\lcntskdm.exe
C:\WINDOWS\system32\mdtlrpmb.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\nivapmzq.exe
C:\WINDOWS\system32\odarazwz.exe
C:\WINDOWS\system32\ottltqml.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\system32\vcbakkvp.dll
C:\WINDOWS\system32\vntiho06\vntiho061083.exe
C:\WINDOWS\system32\vuoiccpe.dll
C:\WINDOWS\system32\wdtvwkgk.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\ydmhkpkr.exe
C:\WINDOWS\vgraph.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\bqtsncra
C:\Documents and Settings\All Users\Application Data\bqtsncra\tkhqzsde.exe
C:\Documents and Settings\All Users\Application Data\cfgaplapp
C:\Documents and Settings\All Users\Application Data\cfgaplapp\admwebsmart.dll
C:\Documents and Settings\All Users\Application Data\cmdadmapi
C:\Documents and Settings\All Users\Application Data\cmdadmapi\genapl.dll
C:\Documents and Settings\All Users\Application Data\cmdweb
C:\Documents and Settings\All Users\Application Data\cmdweb\srvinfowin.dll
C:\Documents and Settings\All Users\Application Data\GenDsc
C:\Documents and Settings\All Users\Application Data\GenDsc\SetStr.dll
C:\Documents and Settings\All Users\Application Data\MntDscMon
C:\Documents and Settings\All Users\Application Data\MntDscMon\HlpGenAdm.dll
C:\Documents and Settings\All Users\Application Data\UiStr
C:\Documents and Settings\All Users\Application Data\UiStr\shuiapl.dll
C:\Documents and Settings\All Users\Application Data\WinDbAct
C:\Documents and Settings\All Users\Application Data\WinDbAct\webaplapp.dll
C:\Documents and Settings\All Users\Application Data\WinSmart
C:\Documents and Settings\All Users\Application Data\WinSmart\WinGen.dll
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\Program Files\kiykole
C:\Program Files\kiykole\AppAdm.dll
C:\Program Files\pgtpflf
C:\Program Files\pgtpflf\apidsc.dll
C:\Program Files\qruekwd
C:\Program Files\qruekwd\hlpenact.dll
C:\Program Files\uqyfkdd
C:\Program Files\uqyfkdd\seten.dll
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\BM4f7e84f2.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\cpan.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\_{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll-uninst.exe
C:\WINDOWS\system32\{a34614c9-d6fb-8c5f-0e8b-217b7de8f6ae}.dll
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
C:\WINDOWS\system32\3056v
C:\WINDOWS\system32\3056v\tgvram102.exe
C:\WINDOWS\system32\akqlajbm.dll
C:\WINDOWS\system32\aqdunjvk.dll
C:\WINDOWS\system32\arwryhal.exe
C:\WINDOWS\system32\bjvlfeua.dll
C:\WINDOWS\system32\btbqsygx.dll
C:\WINDOWS\system32\cbnwvvgs.dll
C:\WINDOWS\system32\cqrfqxmx.dll
C:\WINDOWS\system32\dustenhs.dll
C:\WINDOWS\system32\g11.exe
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\ghjjhufg.dll
C:\WINDOWS\system32\glgoqovx.dll
C:\WINDOWS\system32\glqubhcp.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\gvevucsh.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\jrwnw64j.exe
C:\WINDOWS\system32\jrwnw64s.exe
C:\WINDOWS\system32\kcntskdm.exe
C:\WINDOWS\system32\kpwgdsbu.dll
C:\WINDOWS\system32\kvgtwpaf.exe
C:\WINDOWS\system32\lcntqkdm.exe
C:\WINDOWS\system32\lcntskdm.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdtlrpmb.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\nivapmzq.exe
C:\WINDOWS\system32\odarazwz.exe
C:\WINDOWS\system32\ottltqml.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\system32\vcbakkvp.dll
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\vntiho06\vntiho061083.exe
C:\WINDOWS\system32\vuoiccpe.dll
C:\WINDOWS\system32\wdtvwkgk.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xnA
C:\WINDOWS\system32\ydmhkpkr.exe
C:\WINDOWS\system32\ytuoyoug.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\vgraph.dll
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-27 08:54 . 2008-05-27 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\appmsg
2008-05-27 08:54 . 2008-05-27 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\appcfgsrv
2008-05-27 08:54 . 2008-05-27 08:54 102,400 --a------ C:\WINDOWS\system32\uryhahwd.exe
2008-05-27 08:53 . 2008-05-27 08:53 49,220 --a------ C:\WINDOWS\system32\jpwnw64r.exe
2008-05-27 03:43 . 2008-05-27 03:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-27 03:43 . 2008-05-27 03:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 03:24 . 2008-05-27 03:24 <DIR> d-------- C:\Program Files\fmxvyef
2008-05-27 03:24 . 2008-05-27 03:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dbmsgweb
2008-05-27 03:24 . 2008-05-27 03:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AppCmd
2008-05-26 15:01 . 2008-05-27 08:44 <DIR> d-------- C:\Hijackthis
2008-05-26 13:05 . 2008-05-26 13:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-25 23:10 . 2008-05-26 22:02 748 --a------ C:\WINDOWS\wininit.ini
2008-05-25 18:57 . 2008-05-25 18:57 68,096 --a------ C:\WINDOWS\ScUnin.exe
2008-05-25 18:57 . 2008-05-25 18:57 12,423 --a------ C:\WINDOWS\scunin.dat
2008-05-25 18:57 . 2008-05-25 18:57 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-23 03:57 . 2008-05-23 03:57 <DIR> d-------- C:\New Folder
2008-05-22 07:38 . 2008-05-26 14:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-22 07:38 . 2008-05-22 07:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 04:41 . 2008-05-03 04:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-30 21:41 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\Macromedia
2008-04-30 21:41 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 13:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-05-26 09:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-25 19:54 --------- d-----w C:\Program Files\mIRC
2008-05-23 02:17 --------- d-----w C:\Program Files\divprog
2008-05-21 23:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-05 09:51 --------- d-----w C:\Program Files\Lx_cats
2008-04-28 03:41 --------- d-----w C:\Program Files\tempto
2008-04-23 18:24 --------- d-----w C:\Program Files\WinPcap
2008-04-23 18:04 --------- d-----w C:\Program Files\Wireshark
2008-04-21 13:54 --------- d-----w C:\Program Files\Dreamweaver
2008-04-10 07:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-04-08 08:56 --------- d-----w C:\Program Files\Azureus
2008-04-03 12:00 --------- d-----w C:\Program Files\Opera
2008-03-30 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-30 13:52 --------- d-----w C:\Program Files\ABC
2008-02-17 23:21 795,278,976 ----a-w C:\Program Files\ADBEILSTCS3_WWE.exe
2007-12-25 16:59 67,196,968 ----a-w C:\Program Files\directx_nov2007_redist.exe
2007-12-13 07:54 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\inst.exe
2007-12-13 07:54 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2007-10-21 15:33 80,689,382 ----a-w C:\Program Files\sqldeveloper-1.2.1.3213.zip
2006-10-25 23:28 7,168 ----a-w C:\Documents and Settings\Administrator\queue.dat
2006-10-25 23:28 1,683,456 ----a-w C:\Documents and Settings\Administrator\FahCore_82.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-27_ 3.28.46.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 01:20:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 13:11:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-27 00:21:39 61,860 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-28 13:04:22 61,860 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-27 00:21:40 401,018 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-28 13:04:22 401,018 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00CB1904-7E9B-4383-8713-C7BC60C9DF43}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CC7B9ED-9566-C5BC-89DD-02791AA1A9AC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13B347C7-91FF-3A76-1890-039EB2444A9D}]
2008-05-27 03:24 61952 --a------ C:\Documents and Settings\All Users\Application Data\dbmsgweb\ChkStr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F32AAD1-D096-6CA3-52AA-0193A6D98D71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E318ED4-977B-2C72-D4A5-07D2DCD34B0E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C77C2B-15C3-4CA9-8F38-6C5F86BC4494}]
C:\WINDOWS\system32\yayaWOFW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8035E5E3-D85D-478D-BCBC-F50016A5F306}]
C:\WINDOWS\system32\iifgHaaX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cf916a3-c051-3e6e-0649-ecf81bd1bfbb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C108AE59-C97F-4517-8B74-5590BE3C2A82}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA591AA0-076D-478F-AD11-AABFDDD2D1BA}]
C:\WINDOWS\system32\hgGwvTLE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2D4D2D4-3832-4688-AC50-94A0C2562B0F}]
C:\WINDOWS\system32\urqQhffE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAC7780D-A171-4295-A32C-BD585460F860}]
C:\WINDOWS\system32\geBsrpmM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 09:52 98304]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB834"="command /c del C:\Program Files\webHancer\Programs\sporder.dll" [ ]
"SpybotDeletingD2430"="cmd /c del C:\Program Files\webHancer\Programs\sporder.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 19:47 73728]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29 237568]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 15:53 169264]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]
"@"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 21:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-03 21:56 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 19:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"56DRZ4PM8l"= C:\Documents and Settings\All Users\Application Data\bqtsncra\tkhqzsde.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18772:TCP"= 18772:TCP:BitComet 18772 TCP
"18772:UDP"= 18772:UDP:BitComet 18772 UDP
"51123:TCP"= 51123:TCP:*:Disabled:abc
"51124:TCP"= 51124:TCP:*:Disabled:ab124
"51125:TCP"= 51125:TCP:*:Disabled:ab125
"51126:TCP"= 51126:TCP:*:Disabled:ab126

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 12:22]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 13:24]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 22:22]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [2003-06-02 22:28]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 17:49]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 15:11:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\msnav32.ax 113 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Qoobox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.viri
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\ntvdm.exe
.
**************************************************************************
.
Completion time: 2008-05-28 15:18:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-28 13:18:14
ComboFix2.txt 2008-05-27 01:29:16

Pre-Run: 2,396,536,832 bytes free
Post-Run: 2,421,252,096 bytes free

323



new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:23:00 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {13B347C7-91FF-3A76-1890-039EB2444A9D} - C:\Documents and Settings\All Users\Application Data\dbmsgweb\ChkStr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {78C77C2B-15C3-4CA9-8F38-6C5F86BC4494} - C:\WINDOWS\system32\yayaWOFW.dll (file missing)
O2 - BHO: (no name) - {8035E5E3-D85D-478D-BCBC-F50016A5F306} - C:\WINDOWS\system32\iifgHaaX.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {DA591AA0-076D-478F-AD11-AABFDDD2D1BA} - C:\WINDOWS\system32\hgGwvTLE.dll (file missing)
O2 - BHO: (no name) - {E2D4D2D4-3832-4688-AC50-94A0C2562B0F} - C:\WINDOWS\system32\urqQhffE.dll (file missing)
O2 - BHO: (no name) - {FAC7780D-A171-4295-A32C-BD585460F860} - C:\WINDOWS\system32\geBsrpmM.dll (file missing)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#6 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 28 May 2008 - 09:48 AM

Hello


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\uryhahwd.exe
C:\WINDOWS\system32\jpwnw64r.exe

Folder::
C:\Documents and Settings\All Users\Application Data\appmsg
C:\Documents and Settings\All Users\Application Data\appcfgsrv
C:\Program Files\fmxvyef
C:\Documents and Settings\All Users\Application Data\dbmsgweb
C:\Documents and Settings\All Users\Application Data\AppCmd

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Also post a new HijackThis log

#7 kaser

kaser

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 28 May 2008 - 10:30 AM

The amount of TeaTimer popup boxes has reduced significantly. (Barely any now, before following your suggestions I had several new ones every second.)
I still have some IE popups though, and most of them causes a script error. (Script error might be due to me having IE 6.0, haven't updated it as I never use it, only use FF)
Thanks a lot for the help so far :)

New ComboFix log:


ComboFix 08-05-25.5 - Administrator 2008-05-28 18:19:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.580 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\jpwnw64r.exe
C:\WINDOWS\system32\uryhahwd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\inst.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\All Users\Application Data\appcfgsrv
C:\Documents and Settings\All Users\Application Data\appcfgsrv\SysDscCom.dll
C:\Documents and Settings\All Users\Application Data\AppCmd
C:\Documents and Settings\All Users\Application Data\AppCmd\smartsysinfo.dll
C:\Documents and Settings\All Users\Application Data\appmsg
C:\Documents and Settings\All Users\Application Data\appmsg\shapl.dll
C:\Documents and Settings\All Users\Application Data\dbmsgweb
C:\Documents and Settings\All Users\Application Data\dbmsgweb\ChkStr.dll
C:\Program Files\fmxvyef
C:\Program Files\fmxvyef\hlpmonsrv.dll
C:\WINDOWS\system32\jpwnw64r.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\uryhahwd.exe
C:\WINDOWS\system32\zxdnt3d.cfg
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-28 15:23 . 2008-05-28 15:23 200,780 --a------ C:\WINDOWS\system32\kcntskdm.exe
2008-05-28 15:23 . 2008-05-28 18:05 63,918 --a------ C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
2008-05-28 15:23 . 2008-05-28 15:23 859 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-28 15:22 . 2008-05-28 15:23 401,966 --a------ C:\WINDOWS\system32\g40.exe
2008-05-27 15:38 . 2008-05-27 15:38 371,200 --a------ C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
2008-05-27 03:43 . 2008-05-27 03:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-27 03:43 . 2008-05-27 03:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 15:01 . 2008-05-28 15:22 <DIR> d-------- C:\Hijackthis
2008-05-26 13:05 . 2008-05-26 13:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-25 23:10 . 2008-05-26 22:02 748 --a------ C:\WINDOWS\wininit.ini
2008-05-25 18:57 . 2008-05-25 18:57 68,096 --a------ C:\WINDOWS\ScUnin.exe
2008-05-25 18:57 . 2008-05-25 18:57 12,423 --a------ C:\WINDOWS\scunin.dat
2008-05-25 18:57 . 2008-05-25 18:57 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-23 03:57 . 2008-05-23 03:57 <DIR> d-------- C:\New Folder
2008-05-22 07:38 . 2008-05-26 14:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-22 07:38 . 2008-05-22 07:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 04:41 . 2008-05-03 04:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-30 21:41 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\Macromedia
2008-04-30 21:41 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 16:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-05-26 09:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-25 19:54 --------- d-----w C:\Program Files\mIRC
2008-05-23 02:17 --------- d-----w C:\Program Files\divprog
2008-05-21 23:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-05 09:51 --------- d-----w C:\Program Files\Lx_cats
2008-04-28 03:41 --------- d-----w C:\Program Files\tempto
2008-04-23 18:24 --------- d-----w C:\Program Files\WinPcap
2008-04-23 18:04 --------- d-----w C:\Program Files\Wireshark
2008-04-21 13:54 --------- d-----w C:\Program Files\Dreamweaver
2008-04-10 07:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-04-08 08:56 --------- d-----w C:\Program Files\Azureus
2008-04-03 12:00 --------- d-----w C:\Program Files\Opera
2008-03-30 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-30 13:52 --------- d-----w C:\Program Files\ABC
2008-02-17 23:21 795,278,976 ----a-w C:\Program Files\ADBEILSTCS3_WWE.exe
2007-12-25 16:59 67,196,968 ----a-w C:\Program Files\directx_nov2007_redist.exe
2007-12-13 07:54 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2007-10-21 15:33 80,689,382 ----a-w C:\Program Files\sqldeveloper-1.2.1.3213.zip
2006-10-25 23:28 7,168 ----a-w C:\Documents and Settings\Administrator\queue.dat
2006-10-25 23:28 1,683,456 ----a-w C:\Documents and Settings\Administrator\FahCore_82.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-27_ 3.28.46.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 01:20:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 16:14:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-26 20:14:38 63,902 ----a-w C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
+ 2008-05-28 16:05:08 63,918 ----a-w C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
+ 2008-05-27 13:38:46 371,200 ----a-w C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-27 00:21:39 61,860 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-28 16:19:01 61,860 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-27 00:21:40 401,018 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-28 16:19:01 401,018 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C77C2B-15C3-4CA9-8F38-6C5F86BC4494}]
C:\WINDOWS\system32\yayaWOFW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8035E5E3-D85D-478D-BCBC-F50016A5F306}]
C:\WINDOWS\system32\iifgHaaX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cf916a3-c051-3e6e-0649-ecf81bd1bfbb}]
2008-05-27 15:38 371200 --a------ C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA591AA0-076D-478F-AD11-AABFDDD2D1BA}]
C:\WINDOWS\system32\hgGwvTLE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2D4D2D4-3832-4688-AC50-94A0C2562B0F}]
C:\WINDOWS\system32\urqQhffE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAC7780D-A171-4295-A32C-BD585460F860}]
C:\WINDOWS\system32\geBsrpmM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 09:52 98304]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB834"="command /c del C:\Program Files\webHancer\Programs\sporder.dll" [ ]
"SpybotDeletingD2430"="cmd /c del C:\Program Files\webHancer\Programs\sporder.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 19:47 73728]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29 237568]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 15:53 169264]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 21:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-03 21:56 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 19:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-06-27 23:58:04 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"56DRZ4PM8l"= C:\Documents and Settings\All Users\Application Data\bqtsncra\tkhqzsde.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18772:TCP"= 18772:TCP:BitComet 18772 TCP
"18772:UDP"= 18772:UDP:BitComet 18772 UDP
"51123:TCP"= 51123:TCP:*:Disabled:abc
"51124:TCP"= 51124:TCP:*:Disabled:ab124
"51125:TCP"= 51125:TCP:*:Disabled:ab125
"51126:TCP"= 51126:TCP:*:Disabled:ab126

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 12:22]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 13:24]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 22:22]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [2003-06-02 22:28]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 17:49]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 18:22:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-05-28 18:25:32
ComboFix-quarantined-files.txt 2008-05-28 16:25:29
ComboFix2.txt 2008-05-28 13:18:21
ComboFix3.txt 2008-05-27 01:29:16

Pre-Run: 2,391,113,728 bytes free
Post-Run: 2,382,880,768 bytes free

192



New HJT Log:


Logfile of HijackThis v1.99.1
Scan saved at 6:30:20 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\kcntskdm.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {13B347C7-91FF-3A76-1890-039EB2444A9D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {78C77C2B-15C3-4CA9-8F38-6C5F86BC4494} - C:\WINDOWS\system32\yayaWOFW.dll (file missing)
O2 - BHO: (no name) - {8035E5E3-D85D-478D-BCBC-F50016A5F306} - C:\WINDOWS\system32\iifgHaaX.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: gooochi browser optimizer - {9cf916a3-c051-3e6e-0649-ecf81bd1bfbb} - C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {DA591AA0-076D-478F-AD11-AABFDDD2D1BA} - C:\WINDOWS\system32\hgGwvTLE.dll (file missing)
O2 - BHO: (no name) - {E2D4D2D4-3832-4688-AC50-94A0C2562B0F} - C:\WINDOWS\system32\urqQhffE.dll (file missing)
O2 - BHO: (no name) - {FAC7780D-A171-4295-A32C-BD585460F860} - C:\WINDOWS\system32\geBsrpmM.dll (file missing)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by kaser, 28 May 2008 - 10:36 AM.


#8 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 28 May 2008 - 10:36 AM

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {13B347C7-91FF-3A76-1890-039EB2444A9D} - (no file)
O2 - BHO: (no name) - {78C77C2B-15C3-4CA9-8F38-6C5F86BC4494} - C:\WINDOWS\system32\yayaWOFW.dll (file missing)
O2 - BHO: (no name) - {8035E5E3-D85D-478D-BCBC-F50016A5F306} - C:\WINDOWS\system32\iifgHaaX.dll (file missing)
O2 - BHO: gooochi browser optimizer - {9cf916a3-c051-3e6e-0649-ecf81bd1bfbb} - C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
O2 - BHO: (no name) - {DA591AA0-076D-478F-AD11-AABFDDD2D1BA} - C:\WINDOWS\system32\hgGwvTLE.dll (file missing)
O2 - BHO: (no name) - {E2D4D2D4-3832-4688-AC50-94A0C2562B0F} - C:\WINDOWS\system32\urqQhffE.dll (file missing)
O2 - BHO: (no name) - {FAC7780D-A171-4295-A32C-BD585460F860} - C:\WINDOWS\system32\geBsrpmM.dll (file missing)
O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\kcntskdm.exe
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll

Folder::
C:\Documents and Settings\All Users\Application Data\bqtsncra
C:\Program Files\webHancer

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"56DRZ4PM8l"=-

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log

#9 kaser

kaser

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 28 May 2008 - 10:52 AM

All ten items you listed were present in HJT scan. All 10 were successfully removed, but the "R3 - Default URLSearchHook is missing" line popped right back up again.



New ComboFix log:


ComboFix 08-05-25.5 - Administrator 2008-05-28 18:46:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.576 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\kcntskdm.exe
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll-uninst.exe
C:\WINDOWS\system32\{cbd11d9a-51c3-075a-39f8-9327b79f9109}.dll
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\kcntskdm.exe
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-27 03:43 . 2008-05-27 03:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-27 03:43 . 2008-05-27 03:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 15:01 . 2008-05-28 18:42 <DIR> d-------- C:\Hijackthis
2008-05-26 13:05 . 2008-05-26 13:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-25 23:10 . 2008-05-26 22:02 748 --a------ C:\WINDOWS\wininit.ini
2008-05-25 18:57 . 2008-05-25 18:57 68,096 --a------ C:\WINDOWS\ScUnin.exe
2008-05-25 18:57 . 2008-05-25 18:57 12,423 --a------ C:\WINDOWS\scunin.dat
2008-05-25 18:57 . 2008-05-25 18:57 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-23 03:57 . 2008-05-23 03:57 <DIR> d-------- C:\New Folder
2008-05-22 07:38 . 2008-05-26 14:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-22 07:38 . 2008-05-22 07:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 04:41 . 2008-05-03 04:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-30 21:41 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\Macromedia
2008-04-30 21:41 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 16:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-05-26 09:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-25 19:54 --------- d-----w C:\Program Files\mIRC
2008-05-23 02:17 --------- d-----w C:\Program Files\divprog
2008-05-21 23:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-05-05 09:51 --------- d-----w C:\Program Files\Lx_cats
2008-04-28 03:41 --------- d-----w C:\Program Files\tempto
2008-04-23 18:24 --------- d-----w C:\Program Files\WinPcap
2008-04-23 18:04 --------- d-----w C:\Program Files\Wireshark
2008-04-21 13:54 --------- d-----w C:\Program Files\Dreamweaver
2008-04-10 07:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-04-08 08:56 --------- d-----w C:\Program Files\Azureus
2008-04-03 12:00 --------- d-----w C:\Program Files\Opera
2008-03-30 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-30 13:52 --------- d-----w C:\Program Files\ABC
2008-02-17 23:21 795,278,976 ----a-w C:\Program Files\ADBEILSTCS3_WWE.exe
2007-12-25 16:59 67,196,968 ----a-w C:\Program Files\directx_nov2007_redist.exe
2007-12-13 07:54 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2007-10-21 15:33 80,689,382 ----a-w C:\Program Files\sqldeveloper-1.2.1.3213.zip
2006-10-25 23:28 7,168 ----a-w C:\Documents and Settings\Administrator\queue.dat
2006-10-25 23:28 1,683,456 ----a-w C:\Documents and Settings\Administrator\FahCore_82.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-27_ 3.28.46.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 01:20:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 16:14:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-27 00:21:39 61,860 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-28 16:19:01 61,860 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-27 00:21:40 401,018 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-28 16:19:01 401,018 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 09:52 98304]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 19:47 73728]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29 237568]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 15:53 169264]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 21:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-03 21:56 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 19:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-06-27 23:58:04 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18772:TCP"= 18772:TCP:BitComet 18772 TCP
"18772:UDP"= 18772:UDP:BitComet 18772 UDP
"51123:TCP"= 51123:TCP:*:Disabled:abc
"51124:TCP"= 51124:TCP:*:Disabled:ab124
"51125:TCP"= 51125:TCP:*:Disabled:ab125
"51126:TCP"= 51126:TCP:*:Disabled:ab126

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 12:22]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 13:24]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 22:22]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys [2003-06-02 22:28]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 17:49]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 18:47:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-05-28 18:48:51
ComboFix-quarantined-files.txt 2008-05-28 16:48:05
ComboFix2.txt 2008-05-28 16:25:33
ComboFix3.txt 2008-05-28 13:18:21
ComboFix4.txt 2008-05-27 01:29:16

Pre-Run: 2,365,997,056 bytes free
Post-Run: 2,360,041,472 bytes free

158




New HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 6:50:36 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#10 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 28 May 2008 - 11:13 AM

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and post a new HijackThis log

#11 kaser

kaser

    New Member

  • New Member
  • Pip
  • 14 posts

Posted 28 May 2008 - 03:00 PM

Malwarebytes found 10 objects, and removed them.

On hiJackThis these 3 lines keep popping up after a restart though:

R3 - Default URLSearchHook is missing
O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"

I am starting to believe those come back up due to TeaTimer protection. Changes to that register being blacklisted or something.
I've shut down TeaTimer before running HJT and ComboFix, but it automatically restarts on reboot and once windows start I get a few TeaTimer popupboxes saying some change was ignored due to user blacklisting. (The blacklisting basically just being me clicking remember this selection and then denying the change once those boxes started popping up.)


Malwarebyte log:

Malwarebytes' Anti-Malware 1.12
Database version: 794

Scan type: Quick Scan
Objects scanned: 34542
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mySearchAssistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Services.cpi (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Services.cpl (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



new HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:53:13 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#12 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 28 May 2008 - 03:13 PM

Hello

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKCU\..\RunOnce: [SpybotDeletingB834] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2430] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log

#13 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 02 June 2008 - 05:59 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users