Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91734 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Something, I'm not sure what


  • This topic is locked This topic is locked
20 replies to this topic

#1 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 05 June 2008 - 10:21 PM

So yesterday, I was trying to get to my E drive through my computer, and my anti-virus (avast!) said there was a virus(Win32:AuCrypt or something). My windows froze, and I had to press the reset button. I'm pretty noob at computers, just know how to use like games, word, stuff like that. So after I tried to go through my E drive like 3 times, I finally actually started avast, because it runs background scanners (right?), in hopes i could perform a full system scan. It said I should perform a boot scan because handling viruses like these was tricky, so I did, and it ran. It restarted and immediately ran a scan. It found a bunch of trojans and worms, but a lot of something called, Win32:AuCrypt.
I moved everything to chest[because that's usually the recommended action] and just let it scan through. I'm worried because I scanned my system again, and there's still viruses present. I don't know how it got there, but I think it's because my dad isn't cautious about the emails he opens or the places he puts his flash drive in. We share a computer, so its either one of our faults, but thats besides the point. I then after the scan and moving to chest, I tried going through my E drive through My computer, and I get the "Open With" box. I'm pretty confused, and really worried about this virus[and others]. My friend suggested that I get a HiJackThis log, and post my problems here. I realize reformat is an option, but if you[whoever is reading this] could help me before I'd have to, please help me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:49 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\program files\steam\steam.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9848 bytes

Thanks for taking your time.
-Mr Panda

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 05 June 2008 - 10:35 PM

Hi Mr Panda, and Welcome to WhatTheTech

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#3 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 05 June 2008 - 10:37 PM

Not to seem...[cant find the word] but how long could I expect a reply in? Thank you so much by the way.

#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 06 June 2008 - 05:12 PM

Mr Panda,

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

You mention your E drive. Do you use a thumb drive? If so, please let me know. It could carry this infection also.

A. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

B. Now we must disable some of your security programs so that they do not interfere with the running of our tools:

WINDOWS ONECARE
  • To Disable Antivirus: Open the Windows OneCare user interface.
  • Click View or Change Settings > Antivirus Tab.
  • Click the radio button to turn the anti-virus off.

AVAST
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)



C. Go to Posted Image -> Run -> copy/paste the following single line command in the runbox & click OK

"%userprofile%\desktop\combofix.exe" /killall

Posted Image
  • DO NOT USE your computer for any other purpose while ComboFix is running.
  • ComboFix may restart your computer, this is normal.
  • When finished, it will produce a log, ComboFix.txt.
  • Please post ComboFix.txt in your next reply along with a new HijackThis log.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#5 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 06 June 2008 - 08:43 PM

Lately, I've been getting this weird thing, like it says new hardware identified or something, that little bubble, and this window pops up.

Posted Image

I dont know what this is, as I only have a Western Digital External hard drive and a Canon Scanner plugged into my compter.
I click cancel the installation, because I don't know what it is, and this window pops up.

Posted Image

If I click finish, it goes back to the first image, and keeps repeating..

My E: drive is an internal part of my hard drive. Most people have C and D drives(correct?) but while me and my friend built my computer(pretty much my friend), we were prompted to divide my hard drive into C and E, 50 in C, 200 in E.

Now if I click my E, it still opens.. but I want to reformat. I won't/wouldn't because a lot of my dad's information is on here. I don't know how much or what he needs, and if he really needs it, but all I have (being a teenager) is homework and games. School's almost over, so I don't need the documents anymore, and the games can be easily recovered.
My Combofix log

ComboFix 08-06-06.6 - Randy 2008-06-06 18:58:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1601 [GMT -7:00]
Running from: C:\Documents and Settings\Randy\desktop\combofix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-05 21:08 . 2008-06-05 21:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-05 19:23 . 2008-06-05 19:23 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-05 19:23 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-06-05 19:23 . 2007-07-06 15:09 70,928 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-06-05 19:22 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-06-05 19:22 . 2007-03-29 05:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-05 19:03 . 2008-06-05 19:03 <DIR> d-------- C:\Documents and Settings\Hank\Contacts
2008-06-05 19:01 . 2008-06-06 19:03 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-06-05 08:38 . 2008-06-05 08:38 268 --ah----- C:\sqmdata17.sqm
2008-06-05 08:38 . 2008-06-05 08:38 244 --ah----- C:\sqmnoopt17.sqm
2008-06-05 06:54 . 2008-06-05 06:54 268 --ah----- C:\sqmdata16.sqm
2008-06-05 06:54 . 2008-06-05 06:54 244 --ah----- C:\sqmnoopt16.sqm
2008-06-04 22:46 . 2008-06-04 22:46 268 --ah----- C:\sqmdata15.sqm
2008-06-04 22:46 . 2008-06-04 22:46 244 --ah----- C:\sqmnoopt15.sqm
2008-06-04 22:03 . 2008-06-04 22:13 <DIR> d-------- C:\Documents and Settings\Randy\DoctorWeb
2008-05-30 06:35 . 2008-05-30 06:35 268 --ah----- C:\sqmdata14.sqm
2008-05-30 06:35 . 2008-05-30 06:35 244 --ah----- C:\sqmnoopt14.sqm
2008-05-28 22:27 . 2008-05-28 22:27 268 --ah----- C:\sqmdata13.sqm
2008-05-28 22:27 . 2008-05-28 22:27 244 --ah----- C:\sqmnoopt13.sqm
2008-05-25 20:35 . 2008-05-25 20:35 268 --ah----- C:\sqmdata12.sqm
2008-05-25 20:35 . 2008-05-25 20:35 244 --ah----- C:\sqmnoopt12.sqm
2008-05-22 08:29 . 2008-05-22 08:29 268 --ah----- C:\sqmdata11.sqm
2008-05-22 08:29 . 2008-05-22 08:29 244 --ah----- C:\sqmnoopt11.sqm
2008-05-20 22:33 . 2008-05-20 22:33 268 --ah----- C:\sqmdata10.sqm
2008-05-20 22:33 . 2008-05-20 22:33 244 --ah----- C:\sqmnoopt10.sqm
2008-05-18 08:20 . 2008-05-18 08:20 268 --ah----- C:\sqmdata09.sqm
2008-05-18 08:20 . 2008-05-18 08:20 268 --ah----- C:\sqmdata08.sqm
2008-05-18 08:20 . 2008-05-18 08:20 244 --ah----- C:\sqmnoopt09.sqm
2008-05-18 08:20 . 2008-05-18 08:20 244 --ah----- C:\sqmnoopt08.sqm
2008-05-17 08:57 . 2008-05-17 08:57 268 --ah----- C:\sqmdata07.sqm
2008-05-17 08:57 . 2008-05-17 08:57 244 --ah----- C:\sqmnoopt07.sqm
2008-05-10 15:41 . 2008-05-10 15:41 268 --ah----- C:\sqmdata06.sqm
2008-05-10 15:41 . 2008-05-10 15:41 244 --ah----- C:\sqmnoopt06.sqm
2008-05-10 07:53 . 2008-05-10 07:53 268 --ah----- C:\sqmdata05.sqm
2008-05-10 07:53 . 2008-05-10 07:53 244 --ah----- C:\sqmnoopt05.sqm
2008-05-10 07:31 . 2008-05-10 07:31 268 --ah----- C:\sqmdata04.sqm
2008-05-10 07:31 . 2008-05-10 07:31 244 --ah----- C:\sqmnoopt04.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 02:03 --------- d-----w C:\Program Files\Steam
2008-06-06 04:12 --------- d-----w C:\Documents and Settings\Randy\Application Data\SiteAdvisor
2008-06-06 02:08 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-06 02:06 --------- d-----w C:\Program Files\Java
2008-06-06 02:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 17:57 --------- d-----w C:\Documents and Settings\Hank\Application Data\Canon
2008-05-30 03:31 --------- d-----w C:\Documents and Settings\Randy\Application Data\Azureus
2008-05-29 04:45 --------- d-----w C:\Documents and Settings\Randy\Application Data\Canon
2008-05-29 04:20 --------- d-----w C:\Program Files\Conquer 2.0
2008-05-27 01:19 106 ----a-w C:\Program Files\path.ini
2008-05-18 06:38 53,096 -c--a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 23:58 222 ----a-w C:\Program Files\pink.bmp
2008-05-03 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-02 05:00 --------- d-----w C:\Documents and Settings\Randy\Application Data\LimeWire
2008-04-30 22:05 --------- d-----w C:\Program Files\Starcraft
2008-04-27 19:36 --------- d-----w C:\Documents and Settings\Randy\Application Data\Xfire
2008-04-25 04:18 --------- d-----w C:\Program Files\Azureus
2008-04-20 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Valve
2008-04-19 02:15 --------- d-----w C:\Program Files\Xfire
2008-04-18 03:24 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 05:40 --------- d-----w C:\Program Files\QuickTime
2008-04-16 06:04 --------- d-----w C:\Program Files\Winamp
2008-04-16 03:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-16 03:46 --------- d-----w C:\Program Files\Windows Live Favorites
2008-04-16 03:45 --------- d-----w C:\Program Files\Windows Live
2008-04-16 03:41 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-16 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-14 06:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-01 19:25 52,312 -c--a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-07 09:18 19,636 ----a-w C:\Program Files\th_07.jpg
2007-12-07 09:05 680 ----a-w C:\Program Files\bl_07.jpg
2007-12-05 13:15 23,446 ----a-w C:\Program Files\bk2.jpg
2007-12-05 01:06 10,528 ----a-w C:\Program Files\else.gif
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-03-29 11:39 1271032]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"Aim6"="" []
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 09:51 486856]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-12-20 09:10 715888]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-05-14 13:41 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 05:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 01:56 16261632 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"ZDConfig"="" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-05-28 12:35 67112]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-17 18:43:08 49254]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\SteamApps\\bongbongboi\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 ms6823;IEEE802.11b Wireless USB Adapter;C:\WINDOWS\system32\DRIVERS\ms6823.sys [2004-06-10 11:47]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 18:53]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fb0561b-4105-11dc-8105-001a4d81e71e}]
\Shell\AutoRun\command - G:\0.com
\Shell\explore\Command - G:\0.com
\Shell\open\Command - G:\0.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff00737-ccee-11dc-b686-001a4d81e71e}]
\Shell\AutoRun\command - I:\iq0ecwcj.cmd
\Shell\explore\Command - I:\iq0ecwcj.cmd
\Shell\open\Command - I:\iq0ecwcj.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48088075-24ee-11dd-ab33-001a4d81e71e}]
\Shell\AutoRun\command - qpe6.com
\Shell\explore\Command - qpe6.com
\Shell\open\Command - qpe6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80c67a8b-6910-11dc-8154-001a4d81e71e}]
\Shell\AutoRun\command - J:\0qx0sc6.bat
\Shell\explore\Command - J:\0qx0sc6.bat
\Shell\open\Command - J:\0qx0sc6.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f442454-fb5c-11dc-b6b6-001a4d81e71e}]
\Shell\AutoRun\command - I:\diox3j.com
\Shell\explore\Command - I:\diox3j.com
\Shell\open\Command - I:\diox3j.com

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 19:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-06 15:16:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 19:02:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-06-06 19:07:27 - machine was rebooted [Randy]
ComboFix-quarantined-files.txt 2008-06-07 02:07:24

Pre-Run: 5,757,038,592 bytes free
Post-Run: 5,977,825,280 bytes free

213 --- E O F --- 2008-05-28 10:01:55

-----------------------------------------------------------------------------------------------------------------------------------------------------

My HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:34 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\program files\steam\steam.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9071 bytes

#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 07 June 2008 - 01:18 AM

Mr Panda,

Lets get your system clean and then if you are still having problems, we'll send you over to the Tech Forums and have the experts there have a go. :thumbup:

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Players components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is often installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware
It is STRONGLY recommended that you remove the Viewpoint products; however, decide for yourself. To uninstall the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

  • Click Start, then Settings, then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, Remove the Viewpoint component
  • Do the same for each Viewpoint component.

LimeWire
You have LimeWire, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetw...cles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\Program Files\path.ini <===this file

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.


COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    File::
    C:\sqmdata17.sqm
    C:\sqmnoopt17.sqm
    C:\sqmdata16.sqm
    C:\sqmnoopt16.sqm
    C:\sqmdata15.sqm
    C:\sqmnoopt15.sqm
    C:\sqmdata14.sqm
    C:\sqmnoopt14.sqm
    C:\sqmdata13.sqm
    C:\sqmnoopt13.sqm
    C:\sqmdata12.sqm
    C:\sqmnoopt12.sqm
    C:\sqmdata11.sqm
    C:\sqmnoopt11.sqm
    C:\sqmdata10.sqm
    C:\sqmnoopt10.sqm
    C:\sqmdata09.sqm
    C:\sqmdata08.sqm
    C:\sqmnoopt09.sqm
    C:\sqmnoopt08.sqm
    C:\sqmdata07.sqm
    C:\sqmnoopt07.sqm
    C:\sqmdata06.sqm
    C:\sqmnoopt06.sqm
    C:\sqmdata05.sqm
    C:\sqmnoopt05.sqm
    C:\sqmdata04.sqm
    C:\sqmnoopt04.sqm
    G:\0.com
    I:\iq0ecwcj.cmd
    qpe6.com
    J:\0qx0sc6.bat
    I:\diox3j.com
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZDConfig"=-
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fb0561b-4105-11dc-8105-001a4d81e71e}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff00737-ccee-11dc-b686-001a4d81e71e}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80c67a8b-6910-11dc-8154-001a4d81e71e}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f442454-fb5c-11dc-b6b6-001a4d81e71e}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

THEN

Please do an online scan with [url="http://www.kaspersky.com/kos/english/kavwebscan.html"]Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

In next reply, please provide:
  • Jotti Report
  • Combofix Report
  • Kaspersky Report
  • New HijackThis Log

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#7 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 08 June 2008 - 12:58 AM

I'm not sure how to do a Kaspersky report... so i saved, then copy pasted. The window's still open if you have any other method.

also, i couldnt get jotti to load in my browser

ComboFix 08-06-06.6 - Hank 2008-06-07 9:22:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1435 [GMT -7:00]
Running from: C:\Documents and Settings\Hank\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hank\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
G:\0.com
I:\iq0ecwcj.cmd
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-07 03:24 . 2008-06-07 03:24 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-06-07 03:24 . 2008-06-07 03:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-07 03:24 . 2008-06-07 03:24 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\SiteAdvisor
2008-06-07 03:23 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-07 03:23 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-07 03:23 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-07 03:23 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-07 03:23 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-07 03:23 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-07 03:21 . 2008-06-07 03:22 <DIR> d-------- C:\Program Files\McAfee.com
2008-06-07 03:21 . 2008-06-07 03:22 <DIR> d-------- C:\Program Files\McAfee
2008-06-07 03:21 . 2008-06-07 03:23 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-06-07 03:20 . 2008-06-07 03:21 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\DAEMON Tools
2008-06-07 03:05 . 2008-06-07 03:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-06 23:26 . 2008-06-06 23:26 <DIR> d-------- C:\WINDOWS\RaidTool
2008-06-06 23:26 . 2008-06-06 23:26 <DIR> d-------- C:\RaidTool
2008-06-06 23:26 . 2007-11-19 11:28 1,966,080 --a------ C:\WINDOWS\system32\xRaidSetup.exe
2008-06-06 23:26 . 2008-03-19 10:54 151,552 --a------ C:\WINDOWS\system32\xRaidAPI.dll
2008-06-06 23:26 . 2008-05-08 14:21 77,200 --a------ C:\WINDOWS\system32\drivers\jraid.sys
2008-06-05 21:08 . 2008-06-05 21:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-05 19:23 . 2008-06-05 19:23 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-05 19:22 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-06-05 19:22 . 2007-03-29 05:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-05 19:03 . 2008-06-05 19:03 <DIR> d-------- C:\Documents and Settings\Hank\Contacts
2008-06-04 22:03 . 2008-06-04 22:13 <DIR> d-------- C:\Documents and Settings\Randy\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 16:17 --------- d-----w C:\Program Files\Viewpoint
2008-06-07 16:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-07 16:16 --------- d-----w C:\Program Files\Steam
2008-06-07 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-07 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-07 10:23 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-07 10:23 --------- d-----w C:\Program Files\VideoLAN
2008-06-07 06:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-07 02:41 --------- d-----w C:\Documents and Settings\Randy\Application Data\SiteAdvisor
2008-06-06 02:08 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-06 02:06 --------- d-----w C:\Program Files\Java
2008-06-05 17:57 --------- d-----w C:\Documents and Settings\Hank\Application Data\Canon
2008-05-30 03:31 --------- d-----w C:\Documents and Settings\Randy\Application Data\Azureus
2008-05-29 04:45 --------- d-----w C:\Documents and Settings\Randy\Application Data\Canon
2008-05-29 04:20 --------- d-----w C:\Program Files\Conquer 2.0
2008-05-27 01:19 106 ----a-w C:\Program Files\path.ini
2008-05-18 06:38 53,096 -c--a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 23:58 222 ----a-w C:\Program Files\pink.bmp
2008-05-03 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-02 05:00 --------- d-----w C:\Documents and Settings\Randy\Application Data\LimeWire
2008-04-30 22:05 --------- d-----w C:\Program Files\Starcraft
2008-04-27 19:36 --------- d-----w C:\Documents and Settings\Randy\Application Data\Xfire
2008-04-25 04:18 --------- d-----w C:\Program Files\Azureus
2008-04-20 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Valve
2008-04-19 02:15 --------- d-----w C:\Program Files\Xfire
2008-04-18 03:24 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 05:40 --------- d-----w C:\Program Files\QuickTime
2008-04-16 06:04 --------- d-----w C:\Program Files\Winamp
2008-04-16 03:45 --------- d-----w C:\Program Files\Windows Live
2008-04-16 03:41 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-16 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-14 06:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-01 19:25 52,312 -c--a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-07 09:18 19,636 ----a-w C:\Program Files\th_07.jpg
2007-12-07 09:05 680 ----a-w C:\Program Files\bl_07.jpg
2007-12-05 13:15 23,446 ----a-w C:\Program Files\bk2.jpg
2007-12-05 01:06 10,528 ----a-w C:\Program Files\else.gif
.

((((((((((((((((((((((((((((( snapshot@2008-06-06_19.07.14.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 02:01:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 16:25:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-03-20 21:41:06 32,768 ----a-w C:\WINDOWS\RaidTool\IDEDrvSetup.exe
+ 2007-03-21 04:01:14 2,560 ----a-w C:\WINDOWS\RaidTool\xIDESetup.exe
+ 2008-05-02 22:52:34 28,672 ----a-w C:\WINDOWS\RaidTool\xInsDrv.dll
+ 2007-03-20 21:36:18 36,864 ----a-w C:\WINDOWS\RaidTool\xInsIDE.exe
- 2007-07-30 01:18:50 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-07 14:58:46 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-07-30 01:18:50 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-07 14:58:46 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-07-30 01:18:50 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-07 14:58:46 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-07 10:18:51 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 05:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 01:56 16261632 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 14:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-11-19 11:28 1966080]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 13:07 36640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-17 18:43:08 49254]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\SteamApps\\bongbongboi\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
S2 0034681212834166mcinstcleanup;McAfee Application Installer Cleanup (0034681212834166);C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 ms6823;IEEE802.11b Wireless USB Adapter;C:\WINDOWS\system32\DRIVERS\ms6823.sys [2004-06-10 11:47]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 18:53]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48088075-24ee-11dd-ab33-001a4d81e71e}]
\Shell\AutoRun\command - qpe6.com
\Shell\explore\Command - qpe6.com
\Shell\open\Command - qpe6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f75c1fc-2dea-11dd-ab3a-001a4d81e71e}]
\Shell\AutoRun\command - G:\ff1q0gw.bat
\Shell\explore\Command - G:\ff1q0gw.bat
\Shell\open\Command - G:\ff1q0gw.bat

*Newly Created Service* - 0034681212834166MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 19:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-07 10:22:26 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-07 10:22:24 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 09:27:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsmap.exe
.
**************************************************************************
.
Completion time: 2008-06-07 9:30:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-07 16:30:49
ComboFix2.txt 2008-06-07 02:07:27

Pre-Run: 5,849,677,824 bytes free
Post-Run: 5,963,497,472 bytes free

268 --- E O F --- 2008-05-28 10:01:55










KASPERSKY ONLINE SCANNER REPORT
Saturday, June 07, 2008 8:07:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/06/2008
Kaspersky Anti-Virus database records: 838150
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
H:\
I:\
Scan Statistics
Total number of scanned objects 154240
Number of viruses found 6
Number of infected objects 32
Number of suspicious objects 40
Duration of the scan process 04:39:20

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{7FCB51A9-A501-47BF-B3A9-5924EE87273A}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{F4646FBC-779E-4BF5-BA77-854158D239C5}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d867d23322af0.bup Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a4cccb202768059fa4866802d63935c4_52b68050-2021-4599-803b-97584923119d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Hank\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\cert8.db Object is locked skipped
C:\Documents and Settings\Hank\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Hank\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\history.dat Object is locked skipped
C:\Documents and Settings\Hank\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\key3.db Object is locked skipped
C:\Documents and Settings\Hank\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\parent.lock Object is locked skipped
C:\Documents and Settings\Hank\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Hank\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Hank\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1ylffsz3.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\History\History.IE5\MSHist012008060720080608\index.dat Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Temp\~DF913B.tmp Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Hank\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hank\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Hank\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Randy\Desktop\NetoverlordsMS.zip/NetoverlordsMS.exe Infected: Trojan-PSW.Win32.Mapler.ak skipped
C:\Documents and Settings\Randy\Desktop\NetoverlordsMS.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3F4D4776-5780-4C3B-9EF2-B4264DD44534}\RP327\A0119760.exe Infected: Trojan-PSW.Win32.Mapler.ak skipped
C:\System Volume Information\_restore{3F4D4776-5780-4C3B-9EF2-B4264DD44534}\RP343\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_2B05hr0TfAnc8Lz Object is locked skipped
C:\WINDOWS\Temp\mcmsc_GxvONqZYNNnI1OB Object is locked skipped
C:\WINDOWS\Temp\mcmsc_kNg8nXJBggrBje6 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_m70YfLh1muqT4MU Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Nexon\NetoverlordsMS.exe Infected: Trojan-PSW.Win32.Mapler.ak skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{3F4D4776-5780-4C3B-9EF2-B4264DD44534}\RP343\change.log Object is locked skipped
I:\System Volume Information\_restore{3F4D4776-5780-4C3B-9EF2-B4264DD44534}\RP343\change.log Object is locked skipped
I:\0424hitachi\bk0616\OE Mailbox\Rl.dbx/[From "Markd" ][Date Mon, 17 May 2004 00:25:54 +0800]/UNNAMED/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
I:\0424hitachi\bk0616\OE Mailbox\Rl.dbx/[From "Markd" ][Date Mon, 17 May 2004 00:25:54 +0800]/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
I:\0424hitachi\bk0616\OE Mailbox\Rl.dbx MailMSOutlook5: suspicious - 2 skipped
I:\0424hitachi\bk0616\OE Mailbox\Anti PC fone virus1110.dbx/[From "Postmaster" ][Date Tue, 9 Mar 2004 19:30:56 +0100 (CET)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\bk0616\OE Mailbox\Anti PC fone virus1110.dbx/[From "Postmaster" ][Date Tue, 9 Mar 2004 19:30:56 +0100 (CET)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\bk0616\OE Mailbox\Anti PC fone virus1110.dbx/[From ][Date Sun, 28 Mar 2004 11:30:06 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\bk0616\OE Mailbox\Anti PC fone virus1110.dbx MailMSOutlook5: suspicious - 3 skipped
I:\0424hitachi\bk0616\OE Mailbox\z0304.dbx/[From "Internet Mail Storage System" ][Date Sat, 13 Mar 2004 21:52:00 +0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\bk0616\OE Mailbox\z0304.dbx/[From "Internet Mail Storage System" ][Date Sat, 13 Mar 2004 21:52:00 +0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\bk0616\OE Mailbox\z0304.dbx MailMSOutlook5: suspicious - 2 skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\Anti PC fone virus1110.dbx/[From "Postmaster" ][Date Tue, 9 Mar 2004 19:30:56 +0100 (CET)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\Anti PC fone virus1110.dbx/[From "Postmaster" ][Date Tue, 9 Mar 2004 19:30:56 +0100 (CET)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\Anti PC fone virus1110.dbx/[From ][Date Sun, 28 Mar 2004 11:30:06 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\Anti PC fone virus1110.dbx MailMSOutlook5: suspicious - 3 skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\z0304.dbx/[From "Internet Mail Storage System" ][Date Sat, 13 Mar 2004 21:52:00 +0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\z0304.dbx/[From "Internet Mail Storage System" ][Date Sat, 13 Mar 2004 21:52:00 +0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\z0304.dbx MailMSOutlook5: suspicious - 2 skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\Rl.dbx/[From "Markd" ][Date Mon, 17 May 2004 00:25:54 +0800]/UNNAMED/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\Rl.dbx/[From "Markd" ][Date Mon, 17 May 2004 00:25:54 +0800]/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\Rl.dbx MailMSOutlook5: suspicious - 2 skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\刪除的郵件.dbx/[From "Kevin" ][Date Mon, 09 Aug 2004 13:21:09 -0500]/UNNAMED/newprice.zip/price.html Infected: Exploit.HTML.CodeBaseExec skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\刪除的郵件.dbx/[From "Kevin" ][Date Mon, 09 Aug 2004 13:21:09 -0500]/UNNAMED/newprice.zip/price/price.exe Infected: Email-Worm.Win32.Bagle.al skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\刪除的郵件.dbx/[From "Kevin" ][Date Mon, 09 Aug 2004 13:21:09 -0500]/UNNAMED/newprice.zip Infected: Email-Worm.Win32.Bagle.al skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\刪除的郵件.dbx/[From "Kevin" ][Date Mon, 09 Aug 2004 13:21:09 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.al skipped
I:\0424hitachi\OE815-2.81g\OE Mailbox\刪除的郵件.dbx MailMSOutlook5: infected - 4 skipped
I:\0424hitachi\oe1204\OE Mailbox\0902temp.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\0424hitachi\oe1204\OE Mailbox\0902temp.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\0424hitachi\oe1204\OE Mailbox\0902temp.dbx MailMSOutlook5: infected - 2 skipped
I:\0424hitachi\oe1204\OE Mailbox\z090304.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\0424hitachi\oe1204\OE Mailbox\z090304.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\0424hitachi\oe1204\OE Mailbox\z090304.dbx MailMSOutlook5: infected - 2 skipped
I:\0424hitachi\OE Mailbox\0902temp.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\0424hitachi\OE Mailbox\0902temp.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\0424hitachi\OE Mailbox\0902temp.dbx MailMSOutlook5: infected - 2 skipped
I:\old-hitachi010105\bk0616\OE Mailbox\Anti PC fone virus1110.dbx/[From "Postmaster" ][Date Tue, 9 Mar 2004 19:30:56 +0100 (CET)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\bk0616\OE Mailbox\Anti PC fone virus1110.dbx/[From "Postmaster" ][Date Tue, 9 Mar 2004 19:30:56 +0100 (CET)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\bk0616\OE Mailbox\Anti PC fone virus1110.dbx/[From ][Date Sun, 28 Mar 2004 11:30:06 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\bk0616\OE Mailbox\Anti PC fone virus1110.dbx MailMSOutlook5: suspicious - 3 skipped
I:\old-hitachi010105\bk0616\OE Mailbox\z0304.dbx/[From "Internet Mail Storage System" ][Date Sat, 13 Mar 2004 21:52:00 +0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\bk0616\OE Mailbox\z0304.dbx/[From "Internet Mail Storage System" ][Date Sat, 13 Mar 2004 21:52:00 +0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\bk0616\OE Mailbox\z0304.dbx MailMSOutlook5: suspicious - 2 skipped
I:\old-hitachi010105\bk0616\OE Mailbox\Rl.dbx/[From "Markd" ][Date Mon, 17 May 2004 00:25:54 +0800]/UNNAMED/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
I:\old-hitachi010105\bk0616\OE Mailbox\Rl.dbx/[From "Markd" ][Date Mon, 17 May 2004 00:25:54 +0800]/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
I:\old-hitachi010105\bk0616\OE Mailbox\Rl.dbx MailMSOutlook5: suspicious - 2 skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\Anti PC fone virus1110.dbx/[From "Postmaster" ][Date Tue, 9 Mar 2004 19:30:56 +0100 (CET)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\Anti PC fone virus1110.dbx/[From "Postmaster" ][Date Tue, 9 Mar 2004 19:30:56 +0100 (CET)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\Anti PC fone virus1110.dbx/[From ][Date Sun, 28 Mar 2004 11:30:06 +0200]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\Anti PC fone virus1110.dbx MailMSOutlook5: suspicious - 3 skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\z0304.dbx/[From "Internet Mail Storage System" ][Date Sat, 13 Mar 2004 21:52:00 +0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\z0304.dbx/[From "Internet Mail Storage System" ][Date Sat, 13 Mar 2004 21:52:00 +0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\z0304.dbx MailMSOutlook5: suspicious - 2 skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\Rl.dbx/[From "Markd" ][Date Mon, 17 May 2004 00:25:54 +0800]/UNNAMED/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\Rl.dbx/[From "Markd" ][Date Mon, 17 May 2004 00:25:54 +0800]/UNNAMED Suspicious: Email-Worm.Win32.Bagle.mail skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\Rl.dbx MailMSOutlook5: suspicious - 2 skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\刪除的郵件.dbx/[From "Kevin" ][Date Mon, 09 Aug 2004 13:21:09 -0500]/UNNAMED/newprice.zip/price.html Infected: Exploit.HTML.CodeBaseExec skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\刪除的郵件.dbx/[From "Kevin" ][Date Mon, 09 Aug 2004 13:21:09 -0500]/UNNAMED/newprice.zip/price/price.exe Infected: Email-Worm.Win32.Bagle.al skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\刪除的郵件.dbx/[From "Kevin" ][Date Mon, 09 Aug 2004 13:21:09 -0500]/UNNAMED/newprice.zip Infected: Email-Worm.Win32.Bagle.al skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\刪除的郵件.dbx/[From "Kevin" ][Date Mon, 09 Aug 2004 13:21:09 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.al skipped
I:\old-hitachi010105\OE815-2.81g\OE Mailbox\刪除的郵件.dbx MailMSOutlook5: infected - 4 skipped
I:\old-hitachi010105\oe1204\OE Mailbox\0902temp.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\old-hitachi010105\oe1204\OE Mailbox\0902temp.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\old-hitachi010105\oe1204\OE Mailbox\0902temp.dbx MailMSOutlook5: infected - 2 skipped
I:\old-hitachi010105\oe1204\OE Mailbox\z090304.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\old-hitachi010105\oe1204\OE Mailbox\z090304.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\old-hitachi010105\oe1204\OE Mailbox\z090304.dbx MailMSOutlook5: infected - 2 skipped
I:\old-hitachi010105\OE Mailbox\0902temp.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\old-hitachi010105\OE Mailbox\0902temp.dbx/[From CITI ][Date Tue, 07 Sep 2004 04:41:45 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.ae skipped
I:\old-hitachi010105\OE Mailbox\0902temp.dbx MailMSOutlook5: infected - 2 skipped
Scan process completed.









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:32 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://walkthrough/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Hank\LOCALS~1\TEMPOR~1\Content.IE5\OX6R45UF\KAVWEB~1.SH! C:\DOCUME~1\Hank\LOCALS~1\TEMPOR~1\Content.IE5\C1YFSLEB\BANNER~1.SH!
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: McAfee Application Installer Cleanup (0034681212834166) (0034681212834166mcinstcleanup) - Unknown owner - C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Hank/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 9562 bytes

#8 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 08 June 2008 - 10:12 AM

It loaded, hehe heres my Jotti Scan Scan taken on 08 Jun 2008 16:09:34 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing Thanks.

#9 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 08 June 2008 - 12:45 PM

Mr Panda,

The way you provided the Kaspersky report was fine. :thumbup:

Did you set that 024 in HijackThis O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Hank/LOCALS~1/Temp/msohtml1/01/clip_image002.gif ? If not, please do the following :

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.


These folders:
  • I:\0424hitachi\bk0616\OE Mailbox
  • I:\0424hitachi\OE815-2.81g\OE Mailbox
  • I:\old-hitachi010105\bk0616\OE Mailbox
  • I:\old-hitachi010105\OE815-2.81g\OE Mailbox
contain some old email from 2004 that is infected. Please let me know if there is any reason that we cannot completely delete those folders and all the mail they contain.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#10 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 08 June 2008 - 11:04 PM

So I was able to delete those four files
If its necessary, heres another hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:10 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://walkthrough/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Hank\LOCALS~1\TEMPOR~1\Content.IE5\OX6R45UF\KAVWEB~1.SH! C:\DOCUME~1\Hank\LOCALS~1\TEMPOR~1\Content.IE5\C1YFSLEB\BANNER~1.SH!
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-21-299502267-1078145449-725345543-1003\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent (User 'Randy')
O4 - HKUS\S-1-5-21-299502267-1078145449-725345543-1003\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Randy')
O4 - HKUS\S-1-5-21-299502267-1078145449-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Randy')
O4 - HKUS\S-1-5-21-299502267-1078145449-725345543-1003\..\Run: [Aim6] (User 'Randy')
O4 - HKUS\S-1-5-21-299502267-1078145449-725345543-1003\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (User 'Randy')
O4 - HKUS\S-1-5-21-299502267-1078145449-725345543-1003\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" (User 'Randy')
O4 - HKUS\S-1-5-21-299502267-1078145449-725345543-1003\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'Randy')
O4 - HKUS\S-1-5-21-299502267-1078145449-725345543-1003\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" (User 'Randy')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: McAfee Application Installer Cleanup (0034681212834166) (0034681212834166mcinstcleanup) - Unknown owner - C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 10554 bytes

    Advertisements

Register to Remove


#11 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 09 June 2008 - 07:38 AM

Mr Panda,

Your doing great :thumbup: We're getting close.

Please either print out these instructions for reference or copy/paste them in notepad and save to your desktop for access when in safe mode

Make all files and folders visible
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Make sure your protection programs are still disabled or they may interfere with our fix:

  • Please open HijackThis and run Do a system scan only
  • Check the boxes next to ONLY the entries listed below(if present):
    • O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
      O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
      O23 - Service: McAfee Application Installer Cleanup (0034681212834166) (0034681212834166mcinstcleanup) - Unknown owner - C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)
  • Close all programs except for HijackThis.
  • Click on Fix checked
  • A box will pop up asking you if you wish to fix the selected items. Please choose YES.
  • Once it has fixed them, please exit/close HijackThis.

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    File::
    qpe6.com
    G:\ff1q0gw.bat
    C:\Documents and Settings\Randy\Desktop\NetoverlordsMS.zip
    E:\Nexon\NetoverlordsMS.exe
    I:\0424hitachi\bk0616\OE Mailbox
    I:\0424hitachi\OE815-2.81g\OE Mailbox
    I:\old-hitachi010105\bk0616\OE Mailbox
    I:\old-hitachi010105\OE815-2.81g\OE Mailbox
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48088075-24ee-11dd-ab33-001a4d81e71e}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f75c1fc-2dea-11dd-ab3a-001a4d81e71e}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply along with a new HijackThis Log.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#12 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 09 June 2008 - 05:56 PM

Just wondering, what was the purpose of making the folders visible?
and when I ran the HiJackThis scan, I didn't see
C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)


ComboFix 08-06-06.6 - Hank 2008-06-09 16:34:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1559 [GMT -7:00]
Running from: C:\Documents and Settings\Hank\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hank\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-08 18:24 . 2008-06-08 18:24 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\Nexon
2008-06-07 09:42 . 2008-06-07 09:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-07 09:42 . 2008-06-07 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-07 03:24 . 2008-06-08 08:02 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-06-07 03:24 . 2008-06-07 09:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-07 03:24 . 2008-06-07 03:24 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\SiteAdvisor
2008-06-07 03:23 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-07 03:23 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-07 03:23 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-07 03:23 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-07 03:23 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-07 03:23 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-07 03:21 . 2008-06-07 03:22 <DIR> d-------- C:\Program Files\McAfee.com
2008-06-07 03:21 . 2008-06-07 03:22 <DIR> d-------- C:\Program Files\McAfee
2008-06-07 03:21 . 2008-06-07 03:23 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-06-07 03:20 . 2008-06-07 03:21 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\DAEMON Tools
2008-06-07 03:05 . 2008-06-07 03:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-06 23:26 . 2008-06-06 23:26 <DIR> d-------- C:\WINDOWS\RaidTool
2008-06-06 23:26 . 2008-06-06 23:26 <DIR> d-------- C:\RaidTool
2008-06-06 23:26 . 2007-11-19 11:28 1,966,080 --a------ C:\WINDOWS\system32\xRaidSetup.exe
2008-06-06 23:26 . 2008-03-19 10:54 151,552 --a------ C:\WINDOWS\system32\xRaidAPI.dll
2008-06-06 23:26 . 2008-05-08 14:21 77,200 --a------ C:\WINDOWS\system32\drivers\jraid.sys
2008-06-05 21:08 . 2008-06-05 21:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-05 19:23 . 2008-06-05 19:23 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-05 19:22 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-06-05 19:22 . 2007-03-29 05:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-05 19:03 . 2008-06-05 19:03 <DIR> d-------- C:\Documents and Settings\Hank\Contacts
2008-06-04 22:03 . 2008-06-04 22:13 <DIR> d-------- C:\Documents and Settings\Randy\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 05:06 --------- d-----w C:\Program Files\OGPlanet
2008-06-08 04:58 --------- d-----w C:\Program Files\Steam
2008-06-07 16:17 --------- d-----w C:\Program Files\Viewpoint
2008-06-07 16:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-07 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-07 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-07 10:23 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-07 10:23 --------- d-----w C:\Program Files\VideoLAN
2008-06-07 06:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-07 02:41 --------- d-----w C:\Documents and Settings\Randy\Application Data\SiteAdvisor
2008-06-06 02:08 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-06 02:06 --------- d-----w C:\Program Files\Java
2008-06-05 17:57 --------- d-----w C:\Documents and Settings\Hank\Application Data\Canon
2008-05-30 03:31 --------- d-----w C:\Documents and Settings\Randy\Application Data\Azureus
2008-05-29 04:45 --------- d-----w C:\Documents and Settings\Randy\Application Data\Canon
2008-05-29 04:20 --------- d-----w C:\Program Files\Conquer 2.0
2008-05-27 01:19 106 ----a-w C:\Program Files\path.ini
2008-05-18 06:38 53,096 -c--a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 23:58 222 ----a-w C:\Program Files\pink.bmp
2008-05-03 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-02 05:00 --------- d-----w C:\Documents and Settings\Randy\Application Data\LimeWire
2008-04-30 22:05 --------- d-----w C:\Program Files\Starcraft
2008-04-27 19:36 --------- d-----w C:\Documents and Settings\Randy\Application Data\Xfire
2008-04-25 04:18 --------- d-----w C:\Program Files\Azureus
2008-04-20 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Valve
2008-04-19 02:15 --------- d-----w C:\Program Files\Xfire
2008-04-18 03:24 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 05:40 --------- d-----w C:\Program Files\QuickTime
2008-04-16 06:04 --------- d-----w C:\Program Files\Winamp
2008-04-16 03:45 --------- d-----w C:\Program Files\Windows Live
2008-04-16 03:41 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-16 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-14 06:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-01 19:25 52,312 -c--a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-07 09:18 19,636 ----a-w C:\Program Files\th_07.jpg
2007-12-07 09:05 680 ----a-w C:\Program Files\bl_07.jpg
2007-12-05 13:15 23,446 ----a-w C:\Program Files\bk2.jpg
2007-12-05 01:06 10,528 ----a-w C:\Program Files\else.gif
.

((((((((((((((((((((((((((((( snapshot@2008-06-06_19.07.14.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 02:01:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 23:37:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-02 17:14:35 167,936 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-06-08 00:34:28 167,936 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-06-02 17:14:35 2,560 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-06-08 00:34:28 2,560 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-06-02 17:14:35 34,304 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-06-08 00:34:28 34,304 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-06-02 17:14:35 8,192 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-06-08 00:34:28 8,192 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-06-02 17:14:35 3,584 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-06-08 00:34:28 3,584 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-06-02 17:14:35 114,688 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-06-08 00:34:28 114,688 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-06-02 17:14:35 16,384 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-06-08 00:34:28 16,384 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-06-02 17:14:35 30,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-06-08 00:34:28 30,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-06-02 17:14:36 22,528 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-06-08 00:34:28 22,528 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-06-02 17:14:35 45,056 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-06-08 00:34:28 45,056 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-06-02 17:14:35 90,112 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-06-08 00:34:28 90,112 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2007-03-20 21:41:06 32,768 ----a-w C:\WINDOWS\RaidTool\IDEDrvSetup.exe
+ 2007-03-21 04:01:14 2,560 ----a-w C:\WINDOWS\RaidTool\xIDESetup.exe
+ 2008-05-02 22:52:34 28,672 ----a-w C:\WINDOWS\RaidTool\xInsDrv.dll
+ 2007-03-20 21:36:18 36,864 ----a-w C:\WINDOWS\RaidTool\xInsIDE.exe
- 2007-07-30 01:18:50 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-09 23:04:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-07-30 01:18:50 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-09 23:04:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-07-30 01:18:50 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 23:04:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-07 10:18:51 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2001-02-26 18:39:38 135,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\ps5UI.dll
+ 2004-08-04 07:56:46 132,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PS5UI.DLL
- 2001-02-26 18:39:50 470,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
+ 2004-08-04 07:56:46 464,384 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 05:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 01:56 16261632 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 14:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-11-19 11:28 1966080]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-28 13:07 36640]
"combofix"="C:\WINDOWS\system32\CF1793.exe" [2006-02-28 05:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-17 18:43:08 49254]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\SteamApps\\bongbongboi\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
S2 0034681212834166mcinstcleanup;McAfee Application Installer Cleanup (0034681212834166);C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 ms6823;IEEE802.11b Wireless USB Adapter;C:\WINDOWS\system32\DRIVERS\ms6823.sys [2004-06-10 11:47]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 18:53]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48088075-24ee-11dd-ab33-001a4d81e71e}]
\Shell\AutoRun\command - qpe6.com
\Shell\explore\Command - qpe6.com
\Shell\open\Command - qpe6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f75c1fc-2dea-11dd-ab3a-001a4d81e71e}]
\Shell\AutoRun\command - G:\ff1q0gw.bat
\Shell\explore\Command - G:\ff1q0gw.bat
\Shell\open\Command - G:\ff1q0gw.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80c67a8b-6910-11dc-8154-001a4d81e71e}]
\Shell\AutoRun\command - J:\0qx0sc6.bat
\Shell\explore\Command - J:\0qx0sc6.bat
\Shell\open\Command - J:\0qx0sc6.bat

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 19:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-07 10:22:26 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-07 10:22:24 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 16:46:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-06-09 16:49:40 - machine was rebooted [Hank]
ComboFix-quarantined-files.txt 2008-06-09 23:49:37
ComboFix2.txt 2008-06-07 16:30:53
ComboFix3.txt 2008-06-07 02:07:27

Pre-Run: 6,962,847,744 bytes free
Post-Run: 6,953,467,904 bytes free

247 --- E O F --- 2008-05-28 10:01:55










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:15 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://walkthrough/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: McAfee Application Installer Cleanup (0034681212834166) (0034681212834166mcinstcleanup) - Unknown owner - C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8837 bytes

#13 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 09 June 2008 - 08:59 PM

Mr Panda,

Just wondering, what was the purpose of making the folders visible?

So they can be seen.

when I ran the HiJackThis scan, I didn't see C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)

It still shows on the log you copy/pasted so it should be there. It should be the first O23 on the list. Look for the one starting with McAfee Application Installer Cleanup (0034681212834166)

Please do a search for the file called qpe6.com.
  • Right click on Start in the lower left corner of your screen
  • Select Search...
  • In the top text box called "All or part of the file name:" put qpe6.com
  • In the third text box select My Computer
  • At the bottom of the window pane click the arrow to the right of More Advanced Options
  • Make sure there is a check mark in the box to the left of search hidden files and folders
  • Click Search
  • when the file is found, Right click on it and select Delete
  • Let me know how you did in your next post


Make sure your protection programs are still disabled or they may interfere with our fix:

  • Please open HijackThis and run Do a system scan only
  • Check the boxes next to ONLY the entries listed below(if present):
    • O23 - Service: McAfee Application Installer Cleanup (0034681212834166) (0034681212834166mcinstcleanup) - Unknown owner - C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)
  • Close all programs except for HijackThis.
  • Click on Fix checked
  • A box will pop up asking you if you wish to fix the selected items. Please choose YES.
  • Once it has fixed them, please exit/close HijackThis.

Our fix didn't work last time so you need to run this script again. It has been slightly modified as "bad" things are trying to reinstall. They appear that they may be related to a program called NetoverlordsMS by Nexon. That program probably won't run when we are done and I would suggest that you don't reinstall it or you will probably be reinfected.

I don't know why the fix didn't work. Copy and save the following text file very carefully!

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    File::
    qpe6.com
    G:\ff1q0gw.bat
    J:\0qx0sc6.bat
    C:\Documents and Settings\Randy\Desktop\NetoverlordsMS.zip
    E:\Nexon\NetoverlordsMS.exe
    I:\0424hitachi\bk0616\OE Mailbox
    I:\0424hitachi\OE815-2.81g\OE Mailbox
    I:\old-hitachi010105\bk0616\OE Mailbox
    I:\old-hitachi010105\OE815-2.81g\OE Mailbox
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48088075-24ee-11dd-ab33-001a4d81e71e}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f75c1fc-2dea-11dd-ab3a-001a4d81e71e}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80c67a8b-6910-11dc-8154-001a4d81e71e}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply along with a new HijackThis Log.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#14 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 09 June 2008 - 10:13 PM

Well actually, NetoverlordMS is a game I play, along with about 10 of my friends.
They don't experience any viral problems. I kinda don't want to "killall" my NetoverlordMS. It is an online game with about 2000 players to this particular server
The website and forum complaints show AVG finds it as a virus, but no other comments say that it is a virus. If needed for reference, heres a link to the forums http://ms.netoverlords.net/forums/

EDIT: I searched for the qpe6 file but it didnt appear.

When I try to fix the file, it doesnt go away.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:52 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://walkthrough/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: McAfee Application Installer Cleanup (0034681212834166) (0034681212834166mcinstcleanup) - Unknown owner - C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8783 bytes

Edited by Mr Panda, 10 June 2008 - 12:37 AM.


#15 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 10 June 2008 - 12:30 PM

Mr Panda,

I've removed the entries from the fix that will remove the infected game files. If you do further internet research you will find that AVG is not the only Anti-Virus that flags it. It has a component in it that makes your computer extremely vulnerable but, it's your computer to do with as you wish.


Make sure your protection programs are still disabled or they may interfere with our fix:

  • Please open HijackThis
  • select None of the above, just start the program
  • click on Config
  • click on Misc Tools
  • press the Delete an NT service.. button
  • When it opens enter 0034681212834166mcinstcleanup
  • press OK
  • Exit HijackThis

I don't know why the fix didn't work. Copy and save the following text file very carefully!

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    File::
    qpe6.com
    G:\ff1q0gw.bat
    J:\0qx0sc6.bat
    I:\0424hitachi\bk0616\OE Mailbox
    I:\0424hitachi\OE815-2.81g\OE Mailbox
    I:\old-hitachi010105\bk0616\OE Mailbox
    I:\old-hitachi010105\OE815-2.81g\OE Mailbox
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48088075-24ee-11dd-ab33-001a4d81e71e}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f75c1fc-2dea-11dd-ab3a-001a4d81e71e}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80c67a8b-6910-11dc-8154-001a4d81e71e}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply along with a new HijackThis Log.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users