Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected By "rond.starsdoor.com," Help!


  • Please log in to reply
7 replies to this topic

#1 jeklund4

jeklund4

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 06 January 2008 - 09:48 AM

I'm not sure how my computer has been infected, but it definitely is. Whenever I am browsing the internet I receive these insistent pop-ups from "rond.starsdoor.com." It is highly annoying and is getting in the way of my work. I have seen a couple of other posts with similar problems so I figured I would try the same. I have pasted my HijackThis log file to this post. Any help would be greatly appreciated. Thanks.

Jon

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:03 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\aol\1144527614\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1144527614\ee\aolsoftware.exe
c:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\poqrmced.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Christine\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [10b6c085] rundll32.exe "C:\WINDOWS\system32\eenrakbl.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6170 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 08 January 2008 - 08:53 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jeklund4
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.
If you run Hijackthis from the desktop, the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 jeklund4

jeklund4
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 09 January 2008 - 09:32 AM

Richie,

Thanks very much for your detailed response. As requested I am providing the logs from my recent scans. The first three are from Avira Antivirus. For some reason when the scan began it stopped and restarted a couple of times, thereby creating two extra logs, each scanning only about 50 files. The third scanned the whole system. Following that are the Combofix and HijackThis logs.

A quick note, I am now receiving an error upon startup that says the following:
"ERROR loading C:\WINDOWS\system32\laorlcsh.dll
The specified module could not be found"

I am not sure whether it is a problem or not, I've just never seen it before.

Here are the logs:
Avira #1


AntiVir PersonalEdition Classic
Report file date: Tuesday, January 08, 2008 17:52

Scanning for 1017413 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CHRISTIN-B4950F

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 22:44:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 22:44:15
ANTIVIR2.VDF : 7.0.1.205 620544 Bytes 1/8/2008 22:44:15
ANTIVIR3.VDF : 7.0.1.208 9728 Bytes 1/8/2008 22:44:15
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 1/8/2008 22:44:15
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 1/8/2008 22:44:16
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, January 08, 2008 17:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'AOLSP Scheduler.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'HPWUCli.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'hpqimzone.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'aoltpspd.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'aoltsmon.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SD Monitor.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'winable.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\WinAble\winable.exe'
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SSMMgr.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'AOLDial.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'winable.exe' has been terminated

48 processes with 47 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( '0' files ).



End of the scan: Tuesday, January 08, 2008 17:55
Used time: 03:54 min

The scan has been canceled!

0 Scanning directories
47 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
46 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes

Avira #2


AntiVir PersonalEdition Classic
Report file date: Tuesday, January 08, 2008 17:52

Scanning for 1017413 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CHRISTIN-B4950F

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 22:44:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 22:44:15
ANTIVIR2.VDF : 7.0.1.205 620544 Bytes 1/8/2008 22:44:15
ANTIVIR3.VDF : 7.0.1.208 9728 Bytes 1/8/2008 22:44:15
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 1/8/2008 22:44:15
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 1/8/2008 22:44:16
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, January 08, 2008 17:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'AOLSP Scheduler.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'HPWUCli.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'hpqimzone.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'aoltpspd.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'aoltsmon.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SD Monitor.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'winable.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\WinAble\winable.exe'
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SSMMgr.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'AOLDial.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'winable.exe' has been terminated

48 processes with 47 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!


End of the scan: Tuesday, January 08, 2008 17:53
Used time: 02:01 min

The scan has been canceled!

0 Scanning directories
47 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
46 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes

Avira #3


AntiVir PersonalEdition Classic
Report file date: Tuesday, January 08, 2008 17:52

Scanning for 1017413 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CHRISTIN-B4950F

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 22:44:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 22:44:15
ANTIVIR2.VDF : 7.0.1.205 620544 Bytes 1/8/2008 22:44:15
ANTIVIR3.VDF : 7.0.1.208 9728 Bytes 1/8/2008 22:44:15
AVEWIN32.DLL : 7.6.0.46 3084800 Bytes 1/8/2008 22:44:15
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.2 360488 Bytes 1/8/2008 22:44:16
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, January 08, 2008 17:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'AOLSP Scheduler.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'HPWUCli.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'hpqimzone.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'aoltpspd.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'aoltsmon.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SD Monitor.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'winable.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\WinAble\winable.exe'
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SSMMgr.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'AOLDial.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'winable.exe' has been terminated
C:\Program Files\WinAble\winable.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.NI
[INFO] The file was deleted!

48 processes with 47 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\pmnnmno.dll
[DETECTION] Is the Trojan horse TR/Drop.Agent.JC
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\pmnnmno.dll
[DETECTION] Is the Trojan horse TR/Drop.Agent.JC

The registry was scanned ( '38' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\!KillBox\Temporary\wininstall.exe
[DETECTION] Is the Trojan horse TR/Agent.crf.1
[INFO] The file was deleted!
C:\!KillBox\WinAble\winable.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.NI
[INFO] The file was moved to '47f20082.qua'!
C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\CTM7GDEF\hctp[1]
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!
C:\HP Photosmart\photosmart8\enu\A\setup\HPZmsi01.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\Program Files\HP\Digital Imaging\digitalimagingmonitor\hpzmsi01.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\Program Files\HP\Digital Imaging\esupport\hpzmsi01.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\Program Files\HP\Digital Imaging\extcapuninstall\hpzmsi01.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\Program Files\HP\Digital Imaging\uninstall\hpzmsi01.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzmsi01.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\Program Files\HP\Temp\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzmsi01.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP519\A0050983.exe
[DETECTION] Is the Trojan horse TR/Dldr.EV.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP519\A0050990.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.30
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP519\A0051049.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP520\A0052216.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47b41352.qua'!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP521\A0052394.exe
[DETECTION] Is the Trojan horse TR/Agent.crf.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP526\A0056479.dll
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056607.dll
[DETECTION] Is the Trojan horse TR/Vundo.dvc.3
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056608.dll
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056609.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.NI
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056611.exe
[DETECTION] Is the Trojan horse TR/Agent.crf.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056612.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.NI
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056613.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056614.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056615.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056616.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056617.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056618.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\System Volume Information\_restore{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056619.exe
[DETECTION] Is the Trojan horse TR/Agent.1130496
[INFO] The file was deleted!
C:\WINDOWS\b122.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.erf
[INFO] The file was deleted!
C:\WINDOWS\mrofinu72.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\appluudh.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\dqqalyrm.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\dsvyowoq.dll
[DETECTION] Is the Trojan horse TR/Vundo.dvc.2
[INFO] The file was deleted!
C:\WINDOWS\system32\eenrakbl.dll
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!
C:\WINDOWS\system32\ifwwxvwx.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\ihkvnklo.dll
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!
C:\WINDOWS\system32\jkkhh.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\norrokmn.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\oqijwvnf.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\pmnnmno.dll
[DETECTION] Is the Trojan horse TR/Drop.Agent.JC
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\qcqwrnhx.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\qmhacvxc.dll
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!
C:\WINDOWS\system32\rqihyhmu.dll
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!
C:\WINDOWS\system32\ybrlqvlj.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\ypthwpwr.dll
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!
C:\WINDOWS\system32\ywwunfrd.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\yxrjtfdd.dll
[DETECTION] Is the Trojan horse TR/Vundo.DUP
[INFO] The file was deleted!


End of the scan: Tuesday, January 08, 2008 19:45
Used time: 1:53:53 min

The scan has been done completely.

3961 Scanning directories
181465 Files were scanned
49 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
44 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
181416 Files not concerned
2192 Archives were scanned
5 Warnings
0 Notes

ComboFix
ComboFix 08-01-09.2 - Christine 2008-01-09 8:58:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.87 [GMT -5:00]
Running from: C:\Documents and Settings\Christine\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinAble
C:\WINDOWS\system32\cxvcahmq.ini
C:\WINDOWS\system32\ddftjrxy.ini
C:\WINDOWS\system32\frorkqhu.ini
C:\WINDOWS\system32\hhkkj.ini
C:\WINDOWS\system32\hhkkj.ini2
C:\WINDOWS\system32\hmmfvtis.exe
C:\WINDOWS\system32\hsclroal.ini
C:\WINDOWS\system32\igccxfar.exe
C:\WINDOWS\system32\jkkhh.dll
C:\WINDOWS\system32\kgggdxbj.exe
C:\WINDOWS\system32\lbkarnee.ini
C:\WINDOWS\system32\pmnnmno.dll
C:\WINDOWS\system32\poqrmced.exe
C:\WINDOWS\system32\rlttemjh.exe
C:\WINDOWS\system32\sbcxcwkn.exe
C:\WINDOWS\system32\srylksuj.exe
C:\WINDOWS\system32\tcijagbm.exe
C:\WINDOWS\system32\umhyhiqr.ini
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\xhnrwqcq.ini
C:\WINDOWS\system32\xxarhynn.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-09 08:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 08:50 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-09 08:49 . 2008-01-09 08:50 <DIR> d-------- C:\Program Files\Java
2008-01-09 08:49 . 2008-01-09 08:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-09 08:12 . 2008-01-09 08:12 <DIR> d-------- C:\New Folder
2008-01-08 17:31 . 2008-01-08 17:31 <DIR> d-------- C:\Program Files\Avira
2008-01-08 17:31 . 2008-01-08 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-08 17:25 . 2008-01-09 08:12 <DIR> d-------- C:\Java
2008-01-08 17:11 . 2008-01-08 17:13 <DIR> d-------- C:\HijackThis
2008-01-07 23:21 . 2008-01-07 23:21 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-28 20:30 . 2007-12-28 20:30 294 --ahs---- C:\WINDOWS\system32\olknvkhi.ini
2007-12-26 19:39 . 2007-12-26 19:39 <DIR> d-------- C:\Program Files\Spybot
2007-12-26 19:34 . 2007-12-26 19:34 <DIR> d-------- C:\Program Files\Killbox
2007-12-26 19:31 . 2007-12-28 18:23 474 --ahs---- C:\WINDOWS\system32\rwpwhtpy.ini
2007-12-15 22:21 . 2007-12-15 22:21 <DIR> d-------- C:\Documents and Settings\Christine\Application Data\Viewpoint
2007-12-15 20:51 . 2007-12-15 20:51 2,238 --a------ C:\WINDOWS\system32\GClogo_32x32.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 12:19 --------- d-----w C:\Documents and Settings\Christine\Application Data\AdobeUM
2008-01-01 22:22 --------- d-----w C:\Program Files\Bodog Poker
2007-12-16 16:34 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-16 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-19 23:53 --------- d-----w C:\Program Files\Sportsbook Poker
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-02-01 11:35 21,848 -c--a-w C:\Documents and Settings\Christine\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 04:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4bc79eb1-a733-404c-8243-aded159b2a40}]
C:\WINDOWS\system32\bpkqnfal.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 21:26 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 12:39 1289000]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50 71216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-08 15:25 98304]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 01:26 49152]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-20 21:09 185896]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [2007-05-30 16:21 520192]
"10b6c085"="C:\WINDOWS\system32\laorlcsh.dll" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-08 17:44 249896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

R3 fem556B;3Com 3ccfem556B PCMCIA Device Driver;C:\WINDOWS\system32\DRIVERS\fem556nb.sys [2001-08-17 12:10]
R3 neo20xx;neo20xx;C:\WINDOWS\system32\DRIVERS\neo20xx.sys [2001-08-17 07:50]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2001-08-17 07:51]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;C:\WINDOWS\system32\DRIVERS\cben5.sys [2002-02-26 17:10]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;C:\WINDOWS\system32\DRIVERS\tnet1130x.sys [2004-03-10 16:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8532363-10fd-11dc-9e67-000086204067}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 09:13:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 9:18:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 14:18:06
.
2008-01-09 08:06:07 --- E O F ---

HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:19 AM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
c:\program files\common files\aol\1144527614\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1144527614\ee\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {04a2b951-deda-3428-c404-337a1be97cb4} - {4bc79eb1-a733-404c-8243-aded159b2a40} - C:\WINDOWS\system32\bpkqnfal.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [10b6c085] rundll32.exe "C:\WINDOWS\system32\laorlcsh.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7363 bytes


Thanks again for all of your help. I look forward to your response.

Best,
Jon

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 09 January 2008 - 02:02 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\olknvkhi.ini
C:\WINDOWS\system32\rwpwhtpy.ini
Folder::
C:\Documents and Settings\Christine\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4bc79eb1-a733-404c-8243-aded159b2a40}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"10b6c085"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 jeklund4

jeklund4
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 10 January 2008 - 12:24 PM

Richie,

I was told I have an old version of HijackThis for some reason, so I reinstalled it and rescanned the drive. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:24 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\common files\aol\1144527614\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1144527614\ee\aolsoftware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7045 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 10 January 2008 - 12:32 PM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 jeklund4

jeklund4
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 11 January 2008 - 09:16 AM

Richie,

Below are the requested logs.

SuperAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/10/2008 at 09:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 07:00:31

Memory items scanned : 497
Memory threats detected : 0
Registry items scanned : 5351
Registry threats detected : 0
File items scanned : 26962
File threats detected : 42

Trojan.Downloader-Gen/DDC
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HMMFVTIS.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IGCCXFAR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KGGGDXBJ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\POQRMCED.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RLTTEMJH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SBCXCWKN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SRYLKSUJ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TCIJAGBM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\XXARHYNN.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056777.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056778.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056779.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056780.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056781.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056782.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056783.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056784.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056785.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSTSSV.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056776.EXE

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP519\A0050984.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP519\A0051051.DLL

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP520\A0052210.DLL

Adware.AdSponsor/ISM
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP520\A0052215.EXE

Trojan.Downloader-Gen/MROFIN
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056621.EXE

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056622.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056623.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056624.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056625.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056626.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056627.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056628.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056629.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056630.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056631.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056632.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056633.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056634.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056635.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP530\A0056636.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056797.DLL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AD54AAB0-3DF4-446E-888E-889F3D91FBBF}\RP535\A0056798.DLL


HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:04 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\common files\aol\1144527614\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1144527614\ee\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HijackThis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144527614\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6961 bytes


Thanks,

Jon

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 11 January 2008 - 09:23 AM

Your log looks clean,hows your pc running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users