Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthislog: Kaspersky Warns Of Modified Rundll32


  • This topic is locked This topic is locked
12 replies to this topic

#1 SR1

SR1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 26 April 2008 - 07:43 AM

Hi everybody,

My PC was infected with MalwareAlarm among other trojans. I installed Kaspersky and it removed most of them.

Now the full disk scan reports nothing, both in safe and regular mode.
However as soon as open IE, Kaspersky detects a modified rundll32.exe and hidden data sending.
Every time I started the PC msconfig shows a new startup entry with a GUID.

I attached HijackThis logs, please help!

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:54 AM

Posted 26 April 2008 - 09:22 AM

Hi,

Please do not attach your logs, but copy and paste them in the thread instead.

Uninstall Enhancement Browser Tools Nextads via software > add & remove programs.
Reboot afterwards.

After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SR1

SR1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 26 April 2008 - 11:34 AM

Thanks for your help!

I uninstalled the program, installed Recovery Console and ran combofix. Here are new combofix and hijack logs.

Sergey

ComboFix 08-04-24.1 - Kids 2008-04-26 11:16:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.115 [GMT -5:00]
Running from: C:\Documents and Settings\Kids\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 07:30 . 2008-04-26 07:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 07:27 . 2008-04-26 07:27 <DIR> d-------- C:\Deckard
2008-04-25 18:39 . 2008-04-25 18:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-25 18:35 . 2008-04-25 18:35 <DIR> d-------- C:\SDFix
2008-04-25 17:23 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-25 17:23 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-25 17:23 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-25 17:23 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-25 17:23 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-25 17:23 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-25 17:23 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-25 17:23 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-25 17:17 . 2008-04-25 17:24 2,930 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-24 19:20 . 2008-04-24 19:25 223 --a------ C:\WINDOWS\HP PrecisionScan Pro.INI
2008-04-24 11:33 . 2004-08-04 07:00 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-04-24 11:33 . 2004-08-04 07:00 33,280 --a------ C:\WINDOWS\system32\dllcache\rundll32.exe
2008-04-24 07:32 . 2008-04-24 07:52 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-24 07:32 . 2008-04-24 07:52 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-24 07:27 . 2008-04-24 07:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-23 22:56 . 2008-04-24 08:22 <DIR> d-------- C:\WINDOWS\system32\pnVes01
2008-04-23 22:56 . 2008-04-23 22:56 <DIR> d-------- C:\Temp\kvebs14
2008-04-23 22:55 . 2008-04-23 22:55 <DIR> d-------- C:\Temp\zvebs14
2008-04-23 20:05 . 2008-04-24 12:05 <DIR> d-------- C:\Documents and Settings\Olga\Download
2008-04-23 19:52 . 2008-04-26 11:20 2,917,408 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-23 19:52 . 2008-04-26 11:04 39,572 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-23 19:52 . 2008-04-26 11:20 34,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-23 19:52 . 2008-04-26 11:04 3,956 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-23 19:51 . 2008-04-23 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-23 19:46 . 2008-04-25 20:19 <DIR> d-------- C:\Antivirus
2008-04-23 19:04 . 2008-04-23 19:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-23 19:04 . 2008-04-26 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 18:44 . 2008-04-24 06:52 1,541,733 --ahs---- C:\WINDOWS\system32\csuwvrop.ini
2008-04-23 17:37 . 2008-04-23 18:38 1,541,270 --ahs---- C:\WINDOWS\system32\vpahgrxr.ini
2008-04-23 16:00 . 2008-04-23 17:37 1,541,201 --ahs---- C:\WINDOWS\system32\xduujtmd.ini
2008-04-23 12:30 . 2008-04-23 15:52 1,541,141 --ahs---- C:\WINDOWS\system32\ganevgnt.ini
2008-04-23 06:42 . 2008-04-23 12:28 1,540,849 --ahs---- C:\WINDOWS\system32\xtdiivuw.ini
2008-04-22 18:15 . 2008-04-23 06:34 1,542,343 --ahs---- C:\WINDOWS\system32\lbxombex.ini
2008-04-21 15:38 . 2008-04-22 18:11 1,542,214 --ahs---- C:\WINDOWS\system32\ruablcdj.ini
2008-04-20 16:59 . 2008-04-21 15:31 1,541,751 --ahs---- C:\WINDOWS\system32\uqnmnxwq.ini
2008-04-20 15:56 . 2008-04-20 17:00 1,541,021 --ahs---- C:\WINDOWS\system32\haotltdg.ini
2008-04-20 15:35 . 2008-04-20 15:35 1,542,679 --ahs---- C:\WINDOWS\system32\iqtisarv.ini
2008-04-20 09:06 . 2008-04-20 15:35 1,542,601 --ahs---- C:\WINDOWS\system32\creafmix.ini
2008-04-19 11:22 . 2008-04-20 09:03 1,542,309 --ahs---- C:\WINDOWS\system32\jvlgjgyx.ini
2008-04-18 15:33 . 2008-04-19 11:19 1,541,924 --ahs---- C:\WINDOWS\system32\yfsptvrx.ini
2008-04-18 12:58 . 2008-04-18 13:06 1,540,677 --ahs---- C:\WINDOWS\system32\tbwranuf.ini
2008-04-18 11:17 . 2008-04-18 11:17 1,544,053 --ahs---- C:\WINDOWS\system32\xohdfyjr.ini
2008-04-18 11:13 . 2008-04-18 11:15 1,504,639 --ahs---- C:\WINDOWS\system32\erkiqxpb.ini
2008-04-18 11:08 . 2008-04-23 15:08 109,738 --a------ C:\WINDOWS\BMb32f5fa1.xml
2008-04-17 18:55 . 2008-04-24 12:09 18,269 --a------ C:\Documents and Settings\Olga\Application Data\update.log
2008-04-17 18:50 . 2008-04-24 13:20 <DIR> d-------- C:\Program Files\MalwareAlarm
2008-04-17 10:19 . 2008-04-18 11:08 1,543,993 --ahs---- C:\WINDOWS\system32\yiwltfkh.ini
2008-04-17 07:20 . 2008-04-17 07:20 1,524,127 --ahs---- C:\WINDOWS\system32\xgdwexnd.ini
2008-04-16 16:10 . 2008-04-16 16:12 2,765,166 --ahs---- C:\WINDOWS\system32\dmjnquew.ini
2008-04-16 08:39 . 2008-04-16 16:12 2,552,844 --ahs---- C:\WINDOWS\system32\mdggjswl.ini
2008-04-16 08:36 . 2008-04-16 08:36 <DIR> d-------- C:\Temp\berDrv11
2008-04-16 07:02 . 2008-04-16 07:02 1,602,990 --ahs---- C:\WINDOWS\system32\clwsauub.ini
2008-04-15 23:21 . 2008-04-23 23:16 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-15 18:23 . 2008-04-16 07:28 1,602,879 --ahs---- C:\WINDOWS\system32\qfsftsvg.ini
2008-04-15 15:50 . 2008-04-15 15:50 3,744 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-04-15 09:05 . 2008-04-15 09:05 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-15 09:03 . 2007-03-29 07:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-15 09:03 . 2007-03-29 07:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-15 09:03 . 2007-03-29 07:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-15 09:03 . 2007-03-29 07:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-15 09:03 . 2007-03-29 07:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-15 09:03 . 2007-03-29 07:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-15 08:50 . 2008-04-15 08:50 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Contacts
2008-04-15 08:28 . 2008-04-15 08:28 <DIR> d-------- C:\WINDOWS\system32\sFi
2008-04-15 08:28 . 2008-04-24 08:22 <DIR> d-------- C:\WINDOWS\system32\pinz1
2008-04-15 08:28 . 2008-04-15 08:28 <DIR> d-------- C:\WINDOWS\system32\IDE2
2008-04-15 08:28 . 2008-04-24 08:16 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-15 08:27 . 2008-04-24 08:12 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-15 08:27 . 2008-04-15 08:28 <DIR> d-------- C:\Temp\wdlw14
2008-04-15 08:27 . 2008-04-24 11:47 <DIR> d-------- C:\Temp
2008-04-07 19:17 . 2008-04-15 09:54 <DIR> d-------- C:\Documents and Settings\Janka\Application Data\skypePM
2008-04-07 19:17 . 2008-04-07 19:17 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-07 19:13 . 2008-04-16 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-29 16:23 . 2008-03-29 16:23 244 --ah----- C:\sqmnoopt02.sqm
2008-03-29 16:23 . 2008-03-29 16:23 232 --ah----- C:\sqmdata02.sqm
2008-03-29 13:01 . 2008-03-29 13:01 268 --ah----- C:\sqmdata01.sqm
2008-03-29 13:01 . 2008-03-29 13:01 244 --ah----- C:\sqmnoopt01.sqm
2008-03-29 09:27 . 2008-03-29 09:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-28 20:39 . 2007-04-25 12:57 864,256 --a------ C:\WINDOWS\Ringo Screensaver.scr
2008-03-28 20:39 . 2008-03-28 20:38 250 --a------ C:\WINDOWS\Install.info
2008-03-28 20:38 . 2008-03-28 20:38 <DIR> d-------- C:\Program Files\Ringo
2008-03-28 20:38 . 2008-04-01 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ringo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 16:41 --------- d-----w C:\Documents and Settings\Janka\Application Data\U3
2008-04-17 02:34 --------- d-----w C:\Program Files\Compaq
2008-04-10 08:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-16 13:19 --------- d-----w C:\Program Files\Google
2008-03-03 01:37 --------- d-----w C:\Documents and Settings\Katia\Application Data\MSNInstaller
2008-03-03 00:04 --------- d-----w C:\Documents and Settings\Kids\Application Data\MSNInstaller
2008-03-02 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 00:02 --------- d-----w C:\Documents and Settings\Janka\Application Data\MSNInstaller
2008-02-29 22:59 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-29 22:58 --------- d-----w C:\Program Files\Windows Live Favorites
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_12.09.20.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 16:58:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 16:04:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 09:04:41 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-25 23:40:09 2,617,344 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-25 23:40:09 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-24 09:04:41 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-25 23:39:59 2,617,344 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-25 23:39:59 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-24 12:39:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-25 21:12:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-24 12:39:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-25 21:12:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-24 12:39:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-25 21:12:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{006C99D1-CBDD-4FC9-91B5-3AC2E06F9E8C}]
C:\WINDOWS\system32\jkkifdbb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-14 07:48 68856]
"Jdkzifgp"="C:\Documents and Settings\Kids\Application Data\??stem\j?vaw.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-03-11 07:24 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-03-11 07:11 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-19 20:23 32873]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-01-31 19:49 98304]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 05:37 69632]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 11:24 485376]
"mMouse"="MouPter.exe" [2003-02-14 14:02 5720064 C:\WINDOWS\MouPter.exe]
"SetMou"="SetMou.exe" [2003-01-22 14:26 244736 C:\WINDOWS\SetMou.exe]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 16:45 279912]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

C:\Documents and Settings\Janka\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\Katia\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\Olga\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\Kids\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrrrpo]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b01c6c3d]
C:\WINDOWS\system32\porvwusc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2001-12-14 17:01 32768 C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBI]
C:\Documents and Settings\Janka\Local Settings\Temporary Internet Files\Content.IE5\WL6BWHIF\setup_sbd_en
[1].exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snte]
C:\DOCUME~1\Kids\APPLIC~1\CURITY~1\smss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
C:\WINDOWS\system32\{e4aa35c9-22ff-76b4-3022-4e6a2fe81db4}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 16:34 36864 C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2007-04-10 16:46 709992 C:\WINDOWS\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 16:45]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4eebc21-e25c-11dc-8e10-001185b62945}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 15:28:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 11:20:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 5

**************************************************************************
.
Completion time: 2008-04-26 11:22:01
ComboFix-quarantined-files.txt 2008-04-26 16:21:57
ComboFix2.txt 2008-04-24 17:09:52

Pre-Run: 32,879,529,984 bytes free
Post-Run: 32,949,608,448 bytes free

227 --- E O F --- 2008-04-16 08:07:36

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:58 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\MouPter.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {006C99D1-CBDD-4FC9-91B5-3AC2E06F9E8C} - C:\WINDOWS\system32\jkkifdbb.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [mMouse] MouPter.exe
O4 - HKLM\..\Run: [SetMou] SetMou.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Jdkzifgp] "C:\Documents and Settings\Kids\Application Data\??stem\j?vaw.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: rqrrrrpo - C:\WINDOWS\
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7266 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:54 AM

Posted 26 April 2008 - 11:44 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\csuwvrop.ini
C:\WINDOWS\system32\vpahgrxr.ini
C:\WINDOWS\system32\xduujtmd.ini
C:\WINDOWS\system32\ganevgnt.ini
C:\WINDOWS\system32\xtdiivuw.ini
C:\WINDOWS\system32\lbxombex.ini
C:\WINDOWS\system32\ruablcdj.ini
C:\WINDOWS\system32\uqnmnxwq.ini
C:\WINDOWS\system32\haotltdg.ini
C:\WINDOWS\system32\iqtisarv.ini
C:\WINDOWS\system32\creafmix.ini
C:\WINDOWS\system32\jvlgjgyx.ini
C:\WINDOWS\system32\yfsptvrx.ini
C:\WINDOWS\system32\tbwranuf.ini
C:\WINDOWS\system32\xohdfyjr.ini
C:\WINDOWS\system32\erkiqxpb.ini
C:\WINDOWS\BMb32f5fa1.xml
C:\WINDOWS\system32\yiwltfkh.ini
C:\WINDOWS\system32\xgdwexnd.ini
C:\WINDOWS\system32\dmjnquew.ini
C:\WINDOWS\system32\mdggjswl.ini
C:\WINDOWS\system32\clwsauub.ini
C:\WINDOWS\system32\qfsftsvg.ini
Folder::
C:\SDFix
C:\WINDOWS\system32\pnVes01
C:\Temp\kvebs14
C:\Temp\zvebs14
C:\WINDOWS\system32\sFi
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\bharebio01
C:\Temp\wdlw14
C:\Temp\berDrv11
C:\Program Files\MalwareAlarm
DirLook::
C:\Antivirus
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{006C99D1-CBDD-4FC9-91B5-3AC2E06F9E8C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jdkzifgp"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrrrpo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b01c6c3d]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBI]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snte]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SR1

SR1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 26 April 2008 - 12:01 PM

Run ComboFix with the script, here are new logs

Sergey

ComboFix 08-04-24.1 - Kids 2008-04-26 11:52:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.105 [GMT -5:00]
Running from: C:\Documents and Settings\Kids\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kids\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMb32f5fa1.xml
C:\WINDOWS\system32\clwsauub.ini
C:\WINDOWS\system32\creafmix.ini
C:\WINDOWS\system32\csuwvrop.ini
C:\WINDOWS\system32\dmjnquew.ini
C:\WINDOWS\system32\erkiqxpb.ini
C:\WINDOWS\system32\ganevgnt.ini
C:\WINDOWS\system32\haotltdg.ini
C:\WINDOWS\system32\iqtisarv.ini
C:\WINDOWS\system32\jvlgjgyx.ini
C:\WINDOWS\system32\lbxombex.ini
C:\WINDOWS\system32\mdggjswl.ini
C:\WINDOWS\system32\qfsftsvg.ini
C:\WINDOWS\system32\ruablcdj.ini
C:\WINDOWS\system32\tbwranuf.ini
C:\WINDOWS\system32\uqnmnxwq.ini
C:\WINDOWS\system32\vpahgrxr.ini
C:\WINDOWS\system32\xduujtmd.ini
C:\WINDOWS\system32\xgdwexnd.ini
C:\WINDOWS\system32\xohdfyjr.ini
C:\WINDOWS\system32\xtdiivuw.ini
C:\WINDOWS\system32\yfsptvrx.ini
C:\WINDOWS\system32\yiwltfkh.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Janka\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Program Files\MalwareAlarm
C:\Program Files\MalwareAlarm\MalwareAlarm.lic
C:\Program Files\MalwareAlarm\mfc71.dll
C:\Program Files\MalwareAlarm\msvcp71.dll
C:\Program Files\MalwareAlarm\msvcr71.dll
C:\Program Files\MalwareAlarm\pv.exe
C:\Program Files\MalwareAlarm\Uninstall.exe
C:\SDFix
C:\SDFix\SDFix\apps\assosfix.reg
C:\SDFix\SDFix\apps\cliptext.exe
C:\SDFix\SDFix\apps\download.exe
C:\SDFix\SDFix\apps\dummy.sys
C:\SDFix\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\SDFix\apps\ERDNT.E_E
C:\SDFix\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\SDFix\apps\ERUNT.EXE
C:\SDFix\SDFix\apps\ERUNT.LOC
C:\SDFix\SDFix\apps\fix.reg
C:\SDFix\SDFix\apps\FixBH.reg
C:\SDFix\SDFix\apps\FixComponents.reg
C:\SDFix\SDFix\apps\FIXCU.reg
C:\SDFix\SDFix\apps\FIXLM.reg
C:\SDFix\SDFix\apps\FixPath.exe
C:\SDFix\SDFix\apps\FixRedir.reg
C:\SDFix\SDFix\apps\FixSchedule.reg
C:\SDFix\SDFix\apps\FixWebCheck.reg
C:\SDFix\SDFix\apps\fixXP.reg
C:\SDFix\SDFix\apps\FixXPsp2.reg
C:\SDFix\SDFix\apps\grep.exe
C:\SDFix\SDFix\apps\HPFix.reg
C:\SDFix\SDFix\apps\HPFix2.reg
C:\SDFix\SDFix\apps\HPFix3.reg
C:\SDFix\SDFix\apps\HPFix4.reg
C:\SDFix\SDFix\apps\HPFix5.reg
C:\SDFix\SDFix\apps\HPFix6.reg
C:\SDFix\SDFix\apps\HPFix7.reg
C:\SDFix\SDFix\apps\isadmin.exe
C:\SDFix\SDFix\apps\leg2.txt
C:\SDFix\SDFix\apps\legacy.txt
C:\SDFix\SDFix\apps\legacybk.txt
C:\SDFix\SDFix\apps\locate.com
C:\SDFix\SDFix\apps\LS.exe
C:\SDFix\SDFix\apps\MD5File.exe
C:\SDFix\SDFix\apps\MyGcpvFix.reg
C:\SDFix\SDFix\apps\MyGkFix2.reg
C:\SDFix\SDFix\apps\Process.exe
C:\SDFix\SDFix\apps\procs.exe
C:\SDFix\SDFix\apps\psservice.exe
C:\SDFix\SDFix\apps\Rem.txt
C:\SDFix\SDFix\apps\Rem2.txt
C:\SDFix\SDFix\apps\Replace\regedit.exe
C:\SDFix\SDFix\apps\Replace\W2K.exe
C:\SDFix\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\SDFix\apps\Replace\XP.exe
C:\SDFix\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\SDFix\apps\Replace\xp\null.sys
C:\SDFix\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\SDFix\apps\RestartIt!.exe
C:\SDFix\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\SDFix\apps\sc.exe
C:\SDFix\SDFix\apps\sed.exe
C:\SDFix\SDFix\apps\SF.exe
C:\SDFix\SDFix\apps\shutdown.exe
C:\SDFix\SDFix\apps\srv2.txt
C:\SDFix\SDFix\apps\srv2bk.txt
C:\SDFix\SDFix\apps\svc.txt
C:\SDFix\SDFix\apps\svcbk.txt
C:\SDFix\SDFix\apps\swreg.exe
C:\SDFix\SDFix\apps\swsc.exe
C:\SDFix\SDFix\apps\unzip.exe
C:\SDFix\SDFix\apps\vfind.exe
C:\SDFix\SDFix\apps\WINMSG.EXE
C:\SDFix\SDFix\apps\winsec.reg
C:\SDFix\SDFix\apps\zip.exe
C:\SDFix\SDFix\backups\backupreg.zip
C:\SDFix\SDFix\backups\backups.zip
C:\SDFix\SDFix\backups\catchme.log
C:\SDFix\SDFix\backups\HOSTS
C:\SDFix\SDFix\catchme.exe
C:\SDFix\SDFix\dummy.sys
C:\SDFix\SDFix\Report.txt
C:\SDFix\SDFix\RunThis.bat
C:\SDFix\SDFix\SDFIX_ReadMe_Online.url
C:\Temp\berDrv11
C:\Temp\berDrv11\fxpNbu.log
C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\wdlw14
C:\Temp\wdlw14\maxN1bo.log
C:\Temp\zvebs14
C:\WINDOWS\b999.exe
C:\WINDOWS\BMb32f5fa1.xml
C:\WINDOWS\system32\bharebio01
C:\WINDOWS\system32\clwsauub.ini
C:\WINDOWS\system32\creafmix.ini
C:\WINDOWS\system32\csuwvrop.ini
C:\WINDOWS\system32\dmjnquew.ini
C:\WINDOWS\system32\erkiqxpb.ini
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\ganevgnt.ini
C:\WINDOWS\system32\haotltdg.ini
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\IDE2\mdllcom2.exe
C:\WINDOWS\system32\iqtisarv.ini
C:\WINDOWS\system32\jvlgjgyx.ini
C:\WINDOWS\system32\lbxombex.ini
C:\WINDOWS\system32\mdggjswl.ini
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\pnVes01
C:\WINDOWS\system32\qfsftsvg.ini
C:\WINDOWS\system32\ruablcdj.ini
C:\WINDOWS\system32\sFi
C:\WINDOWS\system32\sFi\cSEE145.exe
C:\WINDOWS\system32\tbwranuf.ini
C:\WINDOWS\system32\uqnmnxwq.ini
C:\WINDOWS\system32\vpahgrxr.ini
C:\WINDOWS\system32\xduujtmd.ini
C:\WINDOWS\system32\xgdwexnd.ini
C:\WINDOWS\system32\xohdfyjr.ini
C:\WINDOWS\system32\xtdiivuw.ini
C:\WINDOWS\system32\yfsptvrx.ini
C:\WINDOWS\system32\yiwltfkh.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 07:30 . 2008-04-26 07:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 07:27 . 2008-04-26 07:27 <DIR> d-------- C:\Deckard
2008-04-25 18:39 . 2008-04-25 18:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-25 17:23 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-25 17:23 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-25 17:23 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-25 17:23 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-25 17:23 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-25 17:23 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-25 17:23 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-25 17:23 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-25 17:17 . 2008-04-25 17:24 2,930 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-24 19:20 . 2008-04-24 19:25 223 --a------ C:\WINDOWS\HP PrecisionScan Pro.INI
2008-04-24 11:33 . 2004-08-04 07:00 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-04-24 11:33 . 2004-08-04 07:00 33,280 --a------ C:\WINDOWS\system32\dllcache\rundll32.exe
2008-04-24 07:32 . 2008-04-24 07:52 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-24 07:32 . 2008-04-24 07:52 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-24 07:27 . 2008-04-24 07:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-23 20:05 . 2008-04-24 12:05 <DIR> d-------- C:\Documents and Settings\Olga\Download
2008-04-23 19:52 . 2008-04-26 11:57 2,958,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-23 19:52 . 2008-04-26 11:37 40,340 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-23 19:52 . 2008-04-26 11:57 38,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-23 19:52 . 2008-04-26 11:37 4,412 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-23 19:51 . 2008-04-23 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-23 19:46 . 2008-04-26 11:26 <DIR> d-------- C:\Antivirus
2008-04-23 19:04 . 2008-04-23 19:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-23 19:04 . 2008-04-26 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-17 18:55 . 2008-04-24 12:09 18,269 --a------ C:\Documents and Settings\Olga\Application Data\update.log
2008-04-15 23:21 . 2008-04-23 23:16 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-15 15:50 . 2008-04-15 15:50 3,744 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-04-15 09:05 . 2008-04-15 09:05 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-15 09:03 . 2007-03-29 07:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-15 09:03 . 2007-03-29 07:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-15 09:03 . 2007-03-29 07:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-15 09:03 . 2007-03-29 07:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-15 09:03 . 2007-03-29 07:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-15 09:03 . 2007-03-29 07:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-15 08:50 . 2008-04-15 08:50 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Contacts
2008-04-15 08:27 . 2008-04-26 11:53 <DIR> d-------- C:\Temp
2008-04-07 19:17 . 2008-04-15 09:54 <DIR> d-------- C:\Documents and Settings\Janka\Application Data\skypePM
2008-04-07 19:17 . 2008-04-07 19:17 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-07 19:13 . 2008-04-16 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-29 16:23 . 2008-03-29 16:23 244 --ah----- C:\sqmnoopt02.sqm
2008-03-29 16:23 . 2008-03-29 16:23 232 --ah----- C:\sqmdata02.sqm
2008-03-29 13:01 . 2008-03-29 13:01 268 --ah----- C:\sqmdata01.sqm
2008-03-29 13:01 . 2008-03-29 13:01 244 --ah----- C:\sqmnoopt01.sqm
2008-03-29 09:27 . 2008-03-29 09:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-28 20:39 . 2007-04-25 12:57 864,256 --a------ C:\WINDOWS\Ringo Screensaver.scr
2008-03-28 20:39 . 2008-03-28 20:38 250 --a------ C:\WINDOWS\Install.info
2008-03-28 20:38 . 2008-03-28 20:38 <DIR> d-------- C:\Program Files\Ringo
2008-03-28 20:38 . 2008-04-01 13:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ringo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 16:41 --------- d-----w C:\Documents and Settings\Janka\Application Data\U3
2008-04-17 02:34 --------- d-----w C:\Program Files\Compaq
2008-04-10 08:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-16 13:19 --------- d-----w C:\Program Files\Google
2008-03-03 01:37 --------- d-----w C:\Documents and Settings\Katia\Application Data\MSNInstaller
2008-03-03 00:04 --------- d-----w C:\Documents and Settings\Kids\Application Data\MSNInstaller
2008-03-02 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 00:02 --------- d-----w C:\Documents and Settings\Janka\Application Data\MSNInstaller
2008-02-29 22:59 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-29 22:58 --------- d-----w C:\Program Files\Windows Live Favorites
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Antivirus ----

2008-04-26 11:26 7201 --a------ C:\Antivirus\hijackthis.log
2008-04-26 11:22 17337 --a------ C:\Antivirus\combofixlog.txt
2008-04-25 20:19 4265 --a------ C:\Antivirus\report.txt
2008-04-25 17:19 1389332 --a------ C:\Antivirus\SmitfraudFix.exe
2008-04-25 10:49 1759119 --a------ C:\Antivirus\SmitfraudFix\SmitfraudFix.cmd
2008-04-24 08:10 86528 --a------ C:\Antivirus\SmitfraudFix\VACFix.exe
2008-04-23 22:14 82944 --a------ C:\Antivirus\SmitfraudFix\IEDFix.exe
2008-04-23 19:56 24 --a------ C:\Antivirus\license.txt
2008-04-23 19:50 23791648 --a------ C:\Antivirus\kaspersky.exe
2008-04-22 20:39 81920 --a------ C:\Antivirus\SmitfraudFix\404Fix.exe
2008-03-02 23:38 77312 --a------ C:\Antivirus\SmitfraudFix\UIFix.exe
2007-10-04 00:36 25600 --a------ C:\Antivirus\SmitfraudFix\WS2Fix.exe
2007-09-06 00:22 289144 --a------ C:\Antivirus\SmitfraudFix\VCCLSID.exe
2007-08-21 08:00 1536 --a------ C:\Antivirus\SmitfraudFix\exit.exe
2007-06-09 21:04 82432 --a------ C:\Antivirus\SmitfraudFix\GenericRenosFix.exe
2007-03-28 18:38 77824 --a------ C:\Antivirus\SmitfraudFix\HostsChk.exe
2006-12-01 06:20 79360 --a------ C:\Antivirus\SmitfraudFix\swxcacls.exe
2006-09-19 22:13 20480 --a------ C:\Antivirus\SmitfraudFix\SmiUpdate.exe
2006-09-15 00:34 167936 --a------ C:\Antivirus\SmitfraudFix\unzip.exe
2006-08-29 19:43 135168 --a------ C:\Antivirus\SmitfraudFix\swreg.exe
2006-04-27 17:49 288417 --a------ C:\Antivirus\SmitfraudFix\SrchSTS.exe
2006-03-07 22:45 16384 --a------ C:\Antivirus\SmitfraudFix\restart.exe
2006-01-09 10:36 40960 --a------ C:\Antivirus\SmitfraudFix\swsc.exe
2005-01-13 21:41 24576 --a------ C:\Antivirus\SmitfraudFix\Reboot.exe
2004-07-31 18:50 51200 --a------ C:\Antivirus\SmitfraudFix\dumphive.exe
2003-06-05 21:13 53248 --a------ C:\Antivirus\SmitfraudFix\Process.exe


((((((((((((((((((((((((((((( snapshot@2008-04-24_12.09.20.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 16:58:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 16:38:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 09:04:41 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-25 23:40:09 2,617,344 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-25 23:40:09 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-24 09:04:41 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-25 23:39:59 2,617,344 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-25 23:39:59 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-24 12:39:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-25 21:12:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-24 12:39:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-25 21:12:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-24 12:39:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-25 21:12:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-14 07:48 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-03-11 07:24 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-03-11 07:11 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-19 20:23 32873]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-01-31 19:49 98304]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 05:37 69632]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 11:24 485376]
"mMouse"="MouPter.exe" [2003-02-14 14:02 5720064 C:\WINDOWS\MouPter.exe]
"SetMou"="SetMou.exe" [2003-01-22 14:26 244736 C:\WINDOWS\SetMou.exe]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 16:45 279912]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

C:\Documents and Settings\Janka\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\Katia\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\Olga\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\Kids\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2001-12-14 17:01 32768 C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 16:34 36864 C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2007-04-10 16:46 709992 C:\WINDOWS\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 16:45]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4eebc21-e25c-11dc-8e10-001185b62945}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 16:28:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 11:57:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 5

**************************************************************************
.
Completion time: 2008-04-26 11:58:26
ComboFix-quarantined-files.txt 2008-04-26 16:58:23
ComboFix2.txt 2008-04-26 16:22:02
ComboFix3.txt 2008-04-24 17:09:52

Pre-Run: 32,931,598,336 bytes free
Post-Run: 32,882,503,680 bytes free

364 --- E O F --- 2008-04-16 08:07:36

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:12 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
C:\WINDOWS\MouPter.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [mMouse] MouPter.exe
O4 - HKLM\..\Run: [SetMou] SetMou.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6671 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:54 AM

Posted 26 April 2008 - 01:39 PM

Hi,

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\rundll32.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SR1

SR1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 26 April 2008 - 01:57 PM

Is this the report you are looking for?

File rundll32.exe received on 04.26.2008 20:51:46 (CET)
Current status: finished

Result: 0/32 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.25 -
AntiVir 7.8.0.10 2008.04.25 -
Authentium 4.93.8 2008.04.26 -
Avast 4.8.1169.0 2008.04.26 -
AVG 7.5.0.516 2008.04.26 -
BitDefender 7.2 2008.04.26 -
CAT-QuickHeal 9.50 2008.04.26 -
ClamAV 0.92.1 2008.04.26 -
DrWeb 4.44.0.09170 2008.04.26 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5736 2008.04.26 -
Ewido 4.0 2008.04.26 -
F-Prot 4.4.2.54 2008.04.26 -
F-Secure 6.70.13260.0 2008.04.26 -
FileAdvisor 1 2008.04.26 -
Fortinet 3.14.0.0 2008.04.26 -
Ikarus T3.1.1.26 2008.04.26 -
Kaspersky 7.0.0.125 2008.04.26 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3057 2008.04.26 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.26 -
Prevx1 V2 2008.04.26 -
Rising 20.41.52.00 2008.04.26 -
Sophos 4.28.0 2008.04.26 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.26 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.26 -
VirusBuster 4.3.26:9 2008.04.26 -
Webwasher-Gateway 6.6.2 2008.04.26 -
Additional information
File size: 33280 bytes
MD5...: da285490bbd8a1d0ce6623577d5ba1ff
SHA1..: c466b4f4c2600fd62fbe943d8049afd0f6606f48
SHA256: a46e1537ae3f1752822d72c6c0870fed8afee396c6c1bacc3ea781decd5dcddc
SHA512: df1539d26e63be3596b919b7322e452fabfecd0c83f41a2a22b149024d2ba394
7f5f9459c1cb8b871baa30ea92b22261c006e89c62eb644030f05a738c19f43e
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1001bdc
timedatestamp.....: 0x41107dbc (Wed Aug 04 06:10:04 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x126a 0x1400 5.98 4b72aa36414b16ff54434dcfe0dbf8b9
.data 0x3000 0x38 0x200 0.25 a7f7e8f7f41d7ffb4b369fe282510650
.rsrc 0x4000 0x6730 0x6800 5.55 0b5511230184c1ac668ce8a5df4f111c

( 5 imports )
> msvcrt.dll: _except_handler3, _wtoi, _vsnwprintf
> KERNEL32.dll: FreeLibrary, LocalFree, lstrlenA, WideCharToMultiByte, LocalAlloc, lstrlenW, GetProcAddress, FormatMessageW, GetLastError, LoadLibraryW, ActivateActCtx, CreateActCtxW, SearchPathW, GetFileAttributesW, ReleaseActCtx, DeactivateActCtx, SetErrorMode, ExitProcess, GetModuleHandleW, GetStartupInfoW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter
> GDI32.dll: GetStockObject
> USER32.dll: RegisterClassW, LoadStringW, CharNextW, SetClassLongW, LoadIconW, DefWindowProcW, CreateWindowExW, MessageBoxW, LoadCursorW, DestroyWindow
> IMAGEHLP.dll: ImageDirectoryEntryToData

( 0 exports )

Edited by SR1, 26 April 2008 - 02:01 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:54 AM

Posted 26 April 2008 - 02:04 PM

Hi,

This one appears to be OK.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Then,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are running now..
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SR1

SR1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 26 April 2008 - 02:49 PM

I uninstalled old Java and installed update 6. IE runs fine now, Kaspersky no longer detects any wrongdoing. Keeping my fingers crossed.

THANK YOU SO MUCH!!! My kids use this PC to have videocalls with me (I live in another state). I have to leave today, if I didn't fix that PC today I wouldn't be able to videocall them for at least two weeks!

Thanks again!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:54 AM

Posted 26 April 2008 - 03:38 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SR1

SR1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 26 April 2008 - 04:23 PM

Will do. Thanks again!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:54 AM

Posted 26 April 2008 - 04:26 PM

You're welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:54 AM

Posted 28 April 2008 - 05:17 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users