Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mrofinu1535.exe Help!(urgent


  • This topic is locked This topic is locked
19 replies to this topic

#1 kevinmax101

kevinmax101

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 17 April 2008 - 03:06 AM

um Hello all, I cant seem to remove the virus maually by myself, can someone help me

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:13 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\Watcher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\regedit.exe
C:\DOCUMENTS AND SETTINGS\KEVIN\MY DOCUMENTS\KEVIN\PROCEXP.EXE
C:\Program Files\Trend Micro\Hijackcheck\Hijackcheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Orbitdownloader\orbitcth.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O2 - BHO: (no name) - {DE83F1CC-31BB-41B0-B941-94A520C15E43} - C:\WINDOWS\system32\opnkiHaX.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-21-117609710-1292428093-725345543-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'assessor')
O4 - HKUS\S-1-5-21-117609710-1292428093-725345543-1003\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'assessor')
O4 - S-1-5-21-117609710-1292428093-725345543-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'assessor')
O4 - S-1-5-21-117609710-1292428093-725345543-1003 Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'assessor')
O4 - S-1-5-21-117609710-1292428093-725345543-1003 User Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'assessor')
O4 - S-1-5-21-117609710-1292428093-725345543-1003 User Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'assessor')
O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170158887265
O20 - Winlogon Notify: ddcYpMca - C:\WINDOWS\SYSTEM32\ddcYpMca.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe

--
End of file - 7203 bytes


PLEASE HELP

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:36 AM

Posted 17 April 2008 - 09:07 PM

Hello kevinmax101,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 18 April 2008 - 05:14 PM

Um, Actually, C:\WINDOWS\SYSTEM32\ddcYpMca.dll, C:\WINDOWS\system32\opnkiHaX.dll using THe Avenger, Is that OK

Heres the Avenger log:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\system32\opnkiHaX.dll" deleted successfully.
File "C:\Windows\system32\ddcYpMca.dll" deleted successfully.
File "C:\Windows\system32\FOOL0.dll" deleted successfully.
File "C:\Windows\system32\FOOL1.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

I'm gonna download combofix still.

#4 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 18 April 2008 - 06:05 PM

COMBOFIX LOG:

ComboFix 08-04-17.1 - Kevin 2008-04-19 6:37:07.1 - NTFSx86
Running from: C:\Documents and Settings\Kevin\Desktop\Anti Malware folder\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\XaHiknpo.ini
C:\WINDOWS\system32\XaHiknpo.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-08 17:27 . 2008-04-18 17:13 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Orbit
2008-04-08 15:17 . 2008-04-08 15:35 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Hide IP NG
2008-04-07 08:43 . 2008-04-07 08:43 48 --a------ C:\WINDOWS\MyProg.ini
2008-03-26 20:50 . 2008-03-26 20:50 <DIR> d-------- C:\Program Files\MIKSOFT
2008-03-26 20:33 . 2008-03-26 20:33 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Music Recognition
2008-03-19 10:57 . 2008-03-19 10:57 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 22:50 46,744,352 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-18 22:50 2,096,928 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-18 22:45 632,948 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-18 22:45 202,784 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-16 03:17 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Canon
2008-03-16 02:44 --------- d-----w C:\Program Files\Canon
2008-03-16 02:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 02:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\ScanSoft
2008-03-16 02:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanWizard
2008-03-16 02:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-03-16 02:41 --------- d-----w C:\Program Files\ScanSoft
2008-03-16 02:41 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-03-16 02:39 --------- d-----w C:\Program Files\ArcSoft
2008-03-16 02:38 --------- d-----w C:\Documents and Settings\Kevin\Application Data\InterTrust
2008-03-13 04:04 --------- d-----w C:\Program Files\Chikka V4
2008-03-07 11:06 --------- d-----w C:\Program Files\Trend Micro
2008-03-01 16:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-27 10:05 107,534 ----a-w C:\WINDOWS\system32\help.exe.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36 229376]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 19:09 139367]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"CAMMON_JL2005A"="C:\Program Files\JL2005A\cam_mon" [ ]
"AirCardEnabler"="C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2005-03-29 10:47 172032]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
KYESCAN.lnk - C:\Program Files\ScannerU\KYESCAN.EXE [2007-07-05 20:05:06 184320]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ampli]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva]
C:\WINDOWS\system32\kxvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1535.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"D:\\backup\\Warcraft\\Warcraft III\\War3.exe"=
"D:\\backup\\Warcraft\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Orbitdownloader\\orbitdm.exe"=
"D:\\Orbitdownloader\\orbitnet.exe"=

R2 SwiWiFiComm;SwiWiFiComm;C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe [2005-04-05 12:22]
R3 ACGPRS;Sierra Wireless EDGE Adapter;C:\WINDOWS\system32\DRIVERS\acgprs.sys [2005-02-09 11:02]
S2 BulkUsb;Genius ColorPage USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 17:43]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dee23b1-6ca3-11dc-a748-00a0d5ffff89}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 22:46:47 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-07 12:35:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-20 08:24:40 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 06:47:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\JL2005A\cam_mon.exe
.
**************************************************************************
.
Completion time: 2008-04-19 6:55:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 22:55:41

Pre-Run: 1,092,333,568 bytes free
Post-Run: 1,431,171,072 bytes free
.
2007-09-22 13:38:44 --- E O F ---

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:36 AM

Posted 18 April 2008 - 06:08 PM

Hello,

Using Avenger like that is not okay, really. But right now, that's neither here nor there since you have a bigger problem on your hands. :thumbsup: This entry : O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll indicates that you have a password stealing worm in your system.
http://www.castlecops.com/clsid-41714.html

Your system has been compromised. If you don't reformat and reinstall, which is your safest and surest course, then it is extremely important to change your passwords and such after it's clean. Your passwords are all known. Don't do it now, or they'll just get stolen again. Keep an eye on any sensitive accounts you might have for nefarious activity.

Please let me know what you decide to do.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 19 April 2008 - 06:19 PM

I Dont want to reformat and reinstall, How do I clean It, What Passwords does it steal? PLZ help

#7 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 19 April 2008 - 06:25 PM

HEY, I searched Google and it says ieso0.dll Is a variant of kxvo.exe, Which I already Removed myself with help from another forum, If I do that, That way i'll remove it is the normal malware removal technique(registry delete, files delete, Startup delete).

#8 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 19 April 2008 - 06:33 PM

Anyways, I downloaded the fix from http://net-studio.org, I'll try to run it now

#9 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 19 April 2008 - 06:52 PM

Well, I think Problems fixed now, I used the FIX and it deleted ieso0.dll, which was there when I was infected by kxvo.exe last month. So Heres the HJT Log, Dont worry about anything related to IE, Me and my Family Uses FIREFOX anyways, IE is too slow.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:10 AM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\Watcher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Hijackcheck\Hijackcheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE
O8 - Extra context menu item: &Download by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170158887265
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe

--
End of file - 5375 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:36 AM

Posted 20 April 2008 - 12:36 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ampli]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

File::
C:\WINDOWS\system32\kxvo.exe
C:\WINDOWS\mrofinu1535.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks.
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 21 April 2008 - 06:10 AM

Um, I just have a question before i Post the log, Did the Fix work?

Combofix Log:

ComboFix 08-04-17.1 - Kevin 2008-04-21 18:46:51.2 - NTFSx86
Running from: C:\Documents and Settings\Kevin\Desktop\Anti Malware folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\Anti Malware folder\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\kxvo.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-08 17:27 . 2008-04-18 17:13 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Orbit
2008-04-08 15:17 . 2008-04-08 15:35 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Hide IP NG
2008-04-07 08:43 . 2008-04-07 08:43 48 --a------ C:\WINDOWS\MyProg.ini
2008-03-26 20:50 . 2008-03-26 20:50 <DIR> d-------- C:\Program Files\MIKSOFT
2008-03-26 20:33 . 2008-03-26 20:33 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Music Recognition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 10:53 46,989,856 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-21 10:52 2,107,680 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-21 08:57 635,708 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-21 08:57 203,600 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-16 03:17 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Canon
2008-03-16 02:44 --------- d-----w C:\Program Files\Canon
2008-03-16 02:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 02:42 --------- d-----w C:\Documents and Settings\Kevin\Application Data\ScanSoft
2008-03-16 02:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanWizard
2008-03-16 02:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-03-16 02:41 --------- d-----w C:\Program Files\ScanSoft
2008-03-16 02:41 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-03-16 02:39 --------- d-----w C:\Program Files\ArcSoft
2008-03-16 02:38 --------- d-----w C:\Documents and Settings\Kevin\Application Data\InterTrust
2008-03-13 04:04 --------- d-----w C:\Program Files\Chikka V4
2008-03-07 11:06 --------- d-----w C:\Program Files\Trend Micro
2008-03-01 16:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-27 10:05 107,534 ----a-w C:\WINDOWS\system32\help.exe.tmp
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_ 6.54.55.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 22:46:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 08:59:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36 229376]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 19:09 139367]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"CAMMON_JL2005A"="C:\Program Files\JL2005A\cam_mon" [ ]
"AirCardEnabler"="C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2005-03-29 10:47 172032]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
KYESCAN.lnk - C:\Program Files\ScannerU\KYESCAN.EXE [2007-07-05 20:05:06 184320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"D:\\backup\\Warcraft\\Warcraft III\\War3.exe"=
"D:\\backup\\Warcraft\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Orbitdownloader\\orbitdm.exe"=
"D:\\Orbitdownloader\\orbitnet.exe"=

R2 SwiWiFiComm;SwiWiFiComm;C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe [2005-04-05 12:22]
R3 ACGPRS;Sierra Wireless EDGE Adapter;C:\WINDOWS\system32\DRIVERS\acgprs.sys [2005-02-09 11:02]
S2 BulkUsb;Genius ColorPage USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 17:43]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dee23b1-6ca3-11dc-a748-00a0d5ffff89}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 10:37:22 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-07 12:35:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-20 08:24:40 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 18:52:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 18:58:06
ComboFix-quarantined-files.txt 2008-04-21 10:57:54
ComboFix2.txt 2008-04-18 22:55:53

Pre-Run: 1,296,855,040 bytes free
Post-Run: 1,314,095,104 bytes free
.
2007-09-22 13:38:44 --- E O F ---

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:38 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\JL2005A\cam_mon.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\Hijackcheck\Hijackcheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CAMMON_JL2005A] C:\Program Files\JL2005A\cam_mon
O4 - HKLM\..\Run: [AirCardEnabler] "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-117609710-1292428093-725345543-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'assessor')
O4 - HKUS\S-1-5-21-117609710-1292428093-725345543-1003\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'assessor')
O4 - S-1-5-21-117609710-1292428093-725345543-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'assessor')
O4 - S-1-5-21-117609710-1292428093-725345543-1003 Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'assessor')
O4 - S-1-5-21-117609710-1292428093-725345543-1003 User Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'assessor')
O4 - S-1-5-21-117609710-1292428093-725345543-1003 User Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'assessor')
O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE
O8 - Extra context menu item: &Download by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170158887265
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless Inc\AirCard 700 Series\SwiWiFiComm.exe

--
End of file - 6208 bytes

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:36 AM

Posted 21 April 2008 - 12:58 PM

Hello,

Did the Fix work?

I don't see any remaining evidence of the original problem in your logs. :thumbsup: How is it running?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 21 April 2008 - 08:23 PM

You know, This has been the longest time I removed a virus, most of the time its taken less than 2 hours.
Actually, I still have a problem from previous infections, when I double click a drive, it always open on a new window, so we always use the explore command and the address bar to get in w/out opening in a new window. Can you help me fix this?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:36 AM

Posted 21 April 2008 - 08:31 PM

Hello,

I think that's just a settings issue. :thumbsup: Open up Windows Explorer, click on Tools, choose Folder Options. Right there on the front you should see under Browse Folders the option to open a new window or open in same window. :blink:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 kevinmax101

kevinmax101
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 21 April 2008 - 09:13 PM

it stills open in a new window




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users