Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.adclicker And Mrofinu72.exe, And Others Possibly


  • This topic is locked This topic is locked
19 replies to this topic

#1 greenterra10

greenterra10

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 11 May 2008 - 10:59 AM

Hi all,

My computer is running super slow and various IE pop ups keep showing up (Internet Speed Tester/Monitor along them) and also various (fake?) virus warnings that try and get me click through via IE and my control panel. My ctrl+alt+delete also doesn't work because it says the administrator has disabled it. The background has also changed to a teal screen with a virus warning with a link. And any IE windows I try to work in seem to crash unexpectedly.

My NortonAntivirus realtime protection has given me a few warnings for the folowing viruses: trojanadclicker, and I think the only mcafee scan showed a mrofinu72.exe before it crashed.

Any help I could get would be extremely welcome as a I have finals this week and need this pc and the files on it.

I've posted the 2 DSS reports below.

Thanks,
tg10





Deckard's System Scanner v20071014.68
Run by terragreen10 on 2008-05-11 10:34:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-05-11 15:35:28 UTC - RP936 - Deckard's System Scanner Restore Point
1: 2008-05-11 08:29:46 UTC - RP935 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 384 MiB (512 MiB recommended).
System Drive C: has 0.63 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-11 10:42:10
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\b2new.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\WINDOWS\SYSTEM32\wmsdkns.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe
C:\Program Files\M?crosoft.NET\notepad.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonProxy.exe
C:\Documents and Settings\Almaaz Karachi\Desktop\dss.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: (no name) - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\CNET Downloads\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {6CB32FAE-0933-4080-B998-52357B8423E4} - C:\WINDOWS\SYSTEM32\vtUkheDV.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\SYSTEM32\opnkjKBU.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\MCROSO~1.NET\notepad.exe" -vt yazb
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\Program Files\webHancer\Programs\webhdll.dll
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} () - file://C:\install.cab
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/i263_32.cab
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...7848.8632060185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: opnkjKBU - C:\WINDOWS\system32\opnkjKBU.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Anonymizer Anti-Spyware Service (AnonAswSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\SYSTEM32\LEXBCES.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe


--
End of file - 9503 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 ATWPKT2 - c:\program files\america online 8.0\atwpkt2.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 pgfilter - c:\cnet downloads\peerguardian2\pgfilter.sys
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\b2new.exe service

S4 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-08 19:16:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2004-05-05 10:02:42 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-04-11 and 2008-05-11 -----------------------------

2008-05-11 10:32:51 316464 -----n--- C:\WINDOWS\system32\ddcYrPGx.dll
2008-05-11 10:28:50 0 d-------- C:\Program Files\Outerinfo
2008-05-11 00:42:10 0 d-------- C:\Documents and Settings\Almaaz Karachi\.housecall6.6
2008-05-11 00:36:16 6989 --ahs---- C:\WINDOWS\system32\VDehkUtv.ini2
2008-05-11 00:35:49 316480 --a------ C:\WINDOWS\system32\vtUkheDV.dll
2008-05-11 00:33:06 29696 --a------ C:\WINDOWS\stcloader.exe
2008-05-11 00:33:03 27136 --a------ C:\WINDOWS\voiceip.dll
2008-05-11 00:33:02 15872 --a------ C:\WINDOWS\swin32.dll
2008-05-11 00:33:02 18688 --a------ C:\WINDOWS\cdsm32.dll
2008-05-11 00:33:01 11264 --a------ C:\WINDOWS\bokja.exe
2008-05-11 00:33:00 20736 --a------ C:\WINDOWS\mssvr.exe
2008-05-11 00:33:00 19968 --a------ C:\WINDOWS\mspphe.dll
2008-05-11 00:32:59 16128 --a------ C:\WINDOWS\bjam.dll
2008-05-11 00:32:59 28160 --a------ C:\WINDOWS\2020search2.dll
2008-05-11 00:32:58 11520 --a------ C:\WINDOWS\2020search.dll
2008-05-11 00:32:43 18432 --a------ C:\WINDOWS\saiemod.dll
2008-05-11 00:32:41 29696 --a------ C:\WINDOWS\msapasrc.dll
2008-05-11 00:32:40 25856 --a------ C:\WINDOWS\msa64chk.dll
2008-05-11 00:32:38 22272 --a------ C:\WINDOWS\shdocpl.dll
2008-05-11 00:32:36 24064 --a------ C:\WINDOWS\shdocpe.dll
2008-05-11 00:32:36 17152 --a------ C:\WINDOWS\ntnut.exe
2008-05-11 00:32:32 23040 --a------ C:\WINDOWS\winsb.dll
2008-05-11 00:32:31 17408 --a------ C:\WINDOWS\browserad.dll
2008-05-11 00:32:31 26368 --a------ C:\WINDOWS\aviwrap32.dll
2008-05-11 00:32:30 24576 --a------ C:\WINDOWS\avisynthex32.dll
2008-05-11 00:32:29 15104 --a------ C:\WINDOWS\avifile32.dll
2008-05-11 00:32:28 19200 --a------ C:\WINDOWS\autodisc32.dll
2008-05-11 00:32:28 32000 --a------ C:\WINDOWS\audiosrv32.dll
2008-05-11 00:32:27 32000 --a------ C:\WINDOWS\ati2dvag32.dll
2008-05-11 00:32:26 9216 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-05-11 00:32:26 20992 --a------ C:\WINDOWS\athprxy32.dll
2008-05-11 00:32:26 14848 --a------ C:\WINDOWS\asycfilt32.dll
2008-05-11 00:32:25 16896 --a------ C:\WINDOWS\changeurl_30.dll
2008-05-11 00:32:25 20480 --a------ C:\WINDOWS\asferror32.dll
2008-05-11 00:32:25 19200 --a------ C:\WINDOWS\apphelp32.dll
2008-05-11 00:13:44 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-11 00:13:33 0 d-------- C:\Program Files\M?crosoft.NET
2008-05-11 00:12:37 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-11 00:12:23 25728 --a------ C:\WINDOWS\system32\opnkjKBU.dll
2008-05-11 00:11:44 0 d-------- C:\Program Files\webHancer
2008-05-11 00:11:18 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-11 00:11:14 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-05-11 00:10:57 91563 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-05-11 00:10:57 91563 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-05-11 00:10:48 25600 --a------ C:\WINDOWS\b2new.exe
2008-05-09 13:10:08 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-05-09 12:10:10 229514 --a------ C:\WINDOWS\system32\000080.exe
2008-05-03 11:48:00 270709 --a------ C:\WINDOWS\system32\000060.exe
2008-05-02 21:59:30 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-02 21:58:22 0 d-------- C:\WINDOWS\AiOTemp


-- Find3M Report ---------------------------------------------------------------

2008-05-11 00:13:44 0 d-------- C:\Program Files\Common Files
2008-05-11 00:13:35 0 d-------- C:\Program Files\M?crosoft.NET
2008-05-10 10:01:53 0 d-------- C:\Documents and Settings\Almaaz Karachi\Application Data\Azureus
2008-05-02 23:03:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-02 22:45:14 0 d-------- C:\Program Files\Google
2008-05-02 22:40:56 0 d-------- C:\Program Files\Microsoft Works
2008-05-02 22:30:11 0 d-------- C:\Program Files\Kodak EasyShare Software
2008-05-02 22:24:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-30 21:24:57 0 d-------- C:\Documents and Settings\Almaaz Karachi\Application Data\Adobe
2008-03-30 21:24:56 0 d-------- C:\Documents and Settings\Almaaz Karachi\Application Data\Macromedia
2008-03-30 21:14:56 2424 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CB32FAE-0933-4080-B998-52357B8423E4}]
05/11/2008 12:35 AM 316480 --a------ C:\WINDOWS\system32\vtUkheDV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
05/11/2008 12:12 AM 25728 --a------ C:\WINDOWS\system32\opnkjKBU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [05/02/2003 05:21 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/02/2003 05:15 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/2003 01:21 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"runner1"="C:\WINDOWS\mrofinu72.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"Anonymizer"="C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe" [04/09/2008 10:57 PM]
"Aida"="C:\PROGRA~1\MCROSO~1.NET\notepad.exe" [05/11/2008 12:13 AM]

C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Startup\
DESKTOP.INI [11/14/2001 6:31:16 PM]
Hewlett-Packard Recorder.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe [8/23/2000 12:48:42 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [11/14/2001 6:31:16 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=1 (0x1)
"Btn_Search"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\opnkjKBU.dll [05/11/2008 12:12 AM 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjKBU]
opnkjKBU.dll 05/11/2008 12:12 AM 25728 C:\WINDOWS\SYSTEM32\opnkjKBU.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUkheDV

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Almaaz Karachi^Start Menu^Programs^Startup^Palm Registration.lnk]
path=C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Startup\Palm Registration.lnk
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Exam4]
"c:\Progra~1\Extegrity\Exam4\exam4.exe" "C:\Exam40\wed_041002_OtherD_NA_PRACTICE_9550.xm2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfferApp]
C:\Program Files\OfferApp\OfferApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
C:\CNET Downloads\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Plugin Install]
C:\Program Files\QuickTime\Plugins\DeleteMe1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\Program Files\WeatherCast\Weather.exe /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ScsiAccess"=2 (0x2)
"rpcapd"=3 (0x3)


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule



-- End of Deckard's System Scanner: finished at 2008-05-11 10:45:16 ------------









Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 Mobile CPU 1.60GHz
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 383.43 MiB / 105.49 MiB
Pagefile Memory (total/avail): 923.15 MiB / 521.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1916.35 MiB

C: is Fixed (NTFS) - 27.91 GiB total, 0.63 GiB free.

\\.\PHYSICALDRIVE0 - HITACHI_DK23DA-30 - 27.95 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 27.91 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\CNET Downloads\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\CNET Downloads\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe:*:Disabled:hpgs2wnf Module"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\CNET Downloads\\Soulseek\\slsk.exe"="C:\\CNET Downloads\\Soulseek\\slsk.exe:*:Enabled:SoulSeek Client"
"C:\\PROGRA~1\\ExamSoft\\SofTest\\SoftLnch.exe"="C:\\PROGRA~1\\ExamSoft\\SofTest\\SoftLnch.exe:*:Enabled:SofLaunch"
"C:\\PROGRA~1\\ExamSoft\\SofTest\\softest.exe"="C:\\PROGRA~1\\ExamSoft\\SofTest\\SofTest.exe:*:Enabled:SofTest"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\CNET Downloads\\Azureus\\Azureus.exe"="C:\\CNET Downloads\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Corel\\WordPerfect 2002\\Register\\NAVBrowser.exe"="C:\\Program Files\\Corel\\WordPerfect 2002\\Register\\NAVBrowser.exe:*:Enabled:NAVBrowser"
"C:\\Program Files\\Corel\\WordPerfect Office 2002\\Register\\NAVBrowser.exe"="C:\\Program Files\\Corel\\WordPerfect Office 2002\\Register\\NAVBrowser.exe:*:Enabled:NAVBrowser"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe"="C:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe:*:Enabled:AnonProxy"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Almaaz Karachi\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BLUEJAY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Almaaz Karachi
LOGONSERVER=\\BLUEJAY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ALMAAZ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ALMAAZ~1\LOCALS~1\Temp
USERDOMAIN=BLUEJAY
USERNAME=Almaaz Karachi
USERPROFILE=C:\Documents and Settings\Almaaz Karachi
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Almaaz Karachi (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Documents and Settings\Almaaz Karachi\Desktop\EJ DVD Rip Tutor\FlasKMPEG 0.6 Preview\uninst-nsis.exe"
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /X{48FCCE4F-9D37-41BA-92C1-17BF5CFAA347}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\CNET Downloads\AC3Filter\uninstall.exe
AC97 SoftV92 Data Fax Modem --> C:\Program Files\CONEXANT\CNXT_MODEM\HXFSETUP.EXE -U -Icnxthsf2.inf
AccessDirect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{417B79C9-CDB4-477F-952D-840CEFC57A6C}\setup.exe"
Actiontec MD56ORD V92 MDC Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_2486&SUBSYS_542114F1\HxFSETUP.EXE -U -IVEN_8086&DEV_2486&SUBSYS_542114F1
Ad-Aware SE Personal --> C:\CNETDO~1\AD-AWA~1\UNWISE.EXE C:\CNETDO~1\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Adobe\SHOCKW~1\Install.log
AdWare & SpyWare --> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.adwareremovergold.com/?revid=31418&s=1"
Anonymizer Software --> "C:\Documents and Settings\All Users\Application Data\{9E97B640-FCFE-4900-B18A-72FAE662D6B7}\Anonymizer_Software.exe" REMOVE=TRUE MODIFY=FALSE
Anonymizer Software --> C:\Documents and Settings\All Users\Application Data\{9E97B640-FCFE-4900-B18A-72FAE662D6B7}\Anonymizer_Software.exe
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Azureus --> C:\CNET Downloads\Azureus\Uninstall.exe
Camtasia Studio 3 --> C:\CNET Downloads\Camtasia Studio 3\CSuninst.EXE
dBpowerAMP Music Converter --> "C:\WINDOWS\System32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\System32\SpoonUninstall-dBpowerAMP Music Converter.dat
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Ecuador's AVI Bitrate Calculator --> C:\WINDOWS\iun6002.exe "C:\Documents and Settings\Almaaz Karachi\Desktop\EJ DVD Rip Tutor\irunin.ini"
EsOCXs --> C:\PROGRA~1\UNWISE.EXE C:\PROGRA~1\INSTALL.LOG
ExtractNow --> "C:\CNET Downloads\ExtractNow\unins000.exe"
FLV Player 1.3.3 --> "C:\CNET Downloads\FLVPlayer\uninstall.exe"
hp officejet v series --> C:\WINDOWS\system32\hpocon09.exe /u 1209784646 /d "hp officejet v series"
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
iPod for Windows 2005-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iPod Updater 2004-08-06 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F8C106A-7DFC-45DE-8006-F9145AADF1D8} /l1033
ITS Remote Printing for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0E78A8-4825-40A2-9CE3-868EE7145A60}\setup.exe"
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kazaa Lite K++ v2.4.3 --> "C:\CNET Downloads\Kazaa Lite K++\unins000.exe"
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" ControlPanel
Mozilla Firefox (1.5) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.5 (en-US)"
MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Palm --> MsiExec.exe /X{0CD3CFF0-9A22-4CDA-BF1B-FA73C1D8B95B}
PeerGuardian 2.0 --> "C:\CNET Downloads\PeerGuardian2\unins000.exe"
PlexTools Professional V2.20 --> MsiExec.exe /X{E5F32102-16F1-42D1-84F4-1E8DCD4A0F7D}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remove DivX Codec --> C:\WINDOWS\unvise32.exe c:\program files\divx 5.03\DivX Codec\UninstalDivXCodec.log
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
SoulSeek Client 156c --> "C:\CNET Downloads\Soulseek\uninstall.exe"
Spybot - Search & Destroy 1.3 --> "C:\CNET Downloads\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\CNET Downloads\SpywareBlaster\unins000.exe"
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TrueMobile 1150 Client Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0F8B60-6C6A-11D4-9630-0060B0FBF2F6}\setup.exe"
VideoLAN VLC media player 0.8.5 --> C:\CNET Downloads\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WordPerfect Office 2002 OEM --> C:\WINDOWS\Corel\uninst32.exe
WordPerfect Office 2002 OEM --> MsiExec.exe /I{29D88826-2AB9-11D5-8854-00902761A46D}


-- Application Event Log -------------------------------------------------------

Event Record #/Type5019 / Error
Event Submitted/Written: 05/11/2008 10:29:01 AM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.Adclicker in File: C:\Program Files\Outerinfo\FF\components\FF.dll by: Realtime Protection scan. Action: Quarantine succeeded : Access denied

Event Record #/Type5018 / Error
Event Submitted/Written: 05/11/2008 10:28:50 AM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.Adclicker in File: C:\DOCUME~1\ALMAAZ~1\LOCALS~1\Temp\NDrv.exe by: Realtime Protection scan. Action: Quarantine succeeded : Access denied

Event Record #/Type5017 / Error
Event Submitted/Written: 05/11/2008 10:28:50 AM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.Adclicker in File: C:\DOCUME~1\ALMAAZ~1\LOCALS~1\Temp\NDrv.dll by: Realtime Protection scan. Action: Quarantine succeeded : Access denied

Event Record #/Type5014 / Error
Event Submitted/Written: 05/11/2008 10:27:59 AM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Downloader in File: C:\WINDOWS\mrofinu72.exe by: Realtime Protection scan. Action: Quarantine succeeded : Access denied

Event Record #/Type5007 / Error
Event Submitted/Written: 05/11/2008 02:50:52 AM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Downloader in File: C:\WINDOWS\mrofinu72.exe by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type466038 / Error
Event Submitted/Written: 05/11/2008 00:38:14 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Anonymizer Anti-Spyware Service service to connect.

Event Record #/Type466019 / Error
Event Submitted/Written: 05/11/2008 00:30:36 AM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.

Event Record #/Type466018 / Error
Event Submitted/Written: 05/11/2008 00:30:36 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Anonymizer Anti-Spyware Service service to connect.

Event Record #/Type466010 / Error
Event Submitted/Written: 05/11/2008 00:13:33 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Symantec AntiVirus Client service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type466003 / Warning
Event Submitted/Written: 05/11/2008 00:07:22 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-05-11 10:45:16 ------------

BC AdBot (Login to Remove)

 


m

#2 greenterra10

greenterra10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 11 May 2008 - 11:13 AM

Here is a copy of the HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:08 AM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\b2new.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\MCROSO~1.NET\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\MCROSO~1.NET\notepad.exe" -vt yazb
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Anonymizer Anti-Spyware Service (AnonAswSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 5476 bytes

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 12 May 2008 - 09:25 AM

Hello greenterra10,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Symantec/Norton Antivirus before running ComboFix, as it will prevent it from running.

To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT  It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 12 May 2008 - 09:28 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 greenterra10

greenterra10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 12 May 2008 - 11:27 AM

ComboFix log below.


Symptom Update (if needed):
My desktop background is no longer has an anti-spyware link, but it isn't my normal background. Random Firefox and IE pages pop up trying to sell me anti-spyware software. They also get redirected to random pages (fubar.com, ovguide.com, etc.). Also, certain websites take forever to load if they load at all, bleepingcomputer.com is among them.

Also, my Task Manager is accessible now.


Thanks, SifuMike.



ComboFix 08-05-11.1 - Almaaz Karachi 2008-05-12 10:27:40.1 - NTFSx86
Running from: C:\Documents and Settings\Almaaz Karachi\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\mcroso~1.net
C:\Program Files\mcroso~1.net\?ystem\
C:\Program Files\mcroso~1.net\notepad.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.ini
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\SYSTEM32\000060.exe
C:\WINDOWS\SYSTEM32\000080.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\sft.res
C:\WINDOWS\SYSTEM32\VDehkUtv.ini
C:\WINDOWS\SYSTEM32\VDehkUtv.ini2
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-11 10:34 . 2008-05-11 10:34 <DIR> d-------- C:\Deckard
2008-05-11 00:43 . 2008-05-11 00:43 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-05-11 00:42 . 2008-05-11 00:47 <DIR> d-------- C:\Documents and Settings\Almaaz Karachi\.housecall6.6
2008-05-11 00:35 . 2008-05-11 00:35 316,480 --a------ C:\WINDOWS\SYSTEM32\vtUkheDV.dll
2008-05-11 00:12 . 2008-05-11 00:12 25,728 --a------ C:\WINDOWS\SYSTEM32\opnkjKBU.dll
2008-05-11 00:12 . 2008-05-11 00:12 578 --a------ C:\WINDOWS\index.html
2008-05-11 00:10 . 2008-05-11 00:10 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-08 18:28 . 2008-05-08 18:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-08 18:28 . 2008-05-08 18:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-02 21:59 . 2008-05-02 22:45 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-02 21:58 . 2008-05-02 22:04 <DIR> d-------- C:\WINDOWS\AiOTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 15:01 --------- d-----w C:\Documents and Settings\Almaaz Karachi\Application Data\Azureus
2008-05-05 16:19 28,164 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-05-03 04:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 04:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-03 03:45 --------- d-----w C:\Program Files\Google
2008-05-03 03:40 --------- d-----w C:\Program Files\Microsoft Works
2008-05-03 03:30 --------- d-----w C:\Program Files\Kodak EasyShare Software
2008-05-03 03:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-11-13 02:27 81,968 ----a-w C:\Documents and Settings\Almaaz Karachi\Application Data\GDIPFONTCACHEV1.DAT
2001-05-24 15:59 162,304 ----a-w C:\Program Files\UNWISE.EXE
2004-01-23 22:30 220 --sh--w C:\WINDOWS\dwin.sys
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sh--w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sh--w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CB32FAE-0933-4080-B998-52357B8423E4}]
2008-05-11 00:35 316480 --a------ C:\WINDOWS\system32\vtUkheDV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-11 00:12 25728 --a------ C:\WINDOWS\system32\opnkjKBU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"Anonymizer"="C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe" [2008-04-09 22:57 1557176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 17:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 17:15 610304]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Startup\
Hewlett-Packard Recorder.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe [2000-08-23 12:48:42 67584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\opnkjKBU.dll [2008-05-11 00:12 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjKBU]
opnkjKBU.dll 2008-05-11 00:12 25728 C:\WINDOWS\SYSTEM32\opnkjKBU.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"VIDC.I263"= i263_32.drv
"MSVideo"= CSvidcap.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Almaaz Karachi^Start Menu^Programs^Startup^Palm Registration.lnk]
path=C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Startup\Palm Registration.lnk
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2004-11-06 12:27 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
--a------ 2008-04-09 22:57 1557176 C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2001-09-04 14:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2002-05-08 08:15 286720 C:\WINDOWS\SYSTEM32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a------ 2002-01-31 21:16 189476 C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Exam4]
c:\Progra~1\Extegrity\Exam4\exam4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-06-11 09:58 147456 C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfferApp]
C:\Program Files\OfferApp\OfferApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 19:40 1421824 C:\CNET Downloads\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
--a------ 2001-04-02 01:29 77887 C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Plugin Install]
--a------ 2007-04-02 21:38 49152 C:\Program Files\QuickTime\Plugins\DeleteMe1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-01-08 14:54 204845 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-01-08 14:54 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-12 12:24 106557 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\Program Files\WeatherCast\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ScsiAccess"=2 (0x2)
"rpcapd"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\CNET Downloads\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\CNET Downloads\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"C:\\CNET Downloads\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Corel\\WordPerfect Office 2002\\Register\\NAVBrowser.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49125:TCP"= 49125:TCP:azureus

S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
S3 Ich;Ich;C:\WINDOWS\system32\DRIVERS\Ich.sys [2001-10-15 04:34]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
S3 RioDrv;Rio600 driver;C:\WINDOWS\system32\Drivers\RioDrv.sys [2001-08-17 17:00]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 00:52]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 15:56:36 C:\WINDOWS\Tasks\Anonymizer scan for spyware.job"
- C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe
"2008-05-09 00:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-05-05 15:02:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 10:47:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\opnkjKBU.dll
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
.
**************************************************************************
.
Completion time: 2008-05-12 11:02:47 - machine was rebooted [Almaaz Karachi]
ComboFix-quarantined-files.txt 2008-05-12 16:02:18

Pre-Run: 569,978,880 bytes free
Post-Run: 565,383,168 bytes free

289 --- E O F --- 2008-04-29 08:49:46

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 12 May 2008 - 04:12 PM

Hello greenterra10,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\index.html
C:\WINDOWS\SYSTEM32\vtUkheDV.dll
C:\WINDOWS\SYSTEM32\opnkjKBU.dll
C:\WINDOWS\b2new.exe

Folder:: 
C:\Program Files\Save

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CB32FAE-0933-4080-B998-52357B8423E4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"=-  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"=-  
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjKBU]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 greenterra10

greenterra10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 12 May 2008 - 07:29 PM

ComboFix and HijackThis logs posted below.

Symptom Update (noticaeable ones, at least):
-Upon reboot, I got a Norton warning for the Downloader virus.
-Windows Explorer crashes periodically
-Firefox and IE won't load certain pages at all - hotmail.com, bleepingcomputer.com, and any search engine search results.

Thanks, SifuMike.


ComboFix 08-05-11.1 - Almaaz Karachi 2008-05-12 17:30:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.151 [GMT -5:00]
Running from: C:\Documents and Settings\Almaaz Karachi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Almaaz Karachi\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\b2new.exe
C:\WINDOWS\index.html
C:\WINDOWS\SYSTEM32\opnkjKBU.dll
C:\WINDOWS\SYSTEM32\vtUkheDV.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b2new.exe
C:\WINDOWS\index.html
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\ivihburg.ini
C:\WINDOWS\SYSTEM32\opnkjKBU.dll
C:\WINDOWS\system32\VDehkUtv.ini
C:\WINDOWS\SYSTEM32\VDehkUtv.ini2
C:\WINDOWS\SYSTEM32\vtUkheDV.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 11:07 . 2008-05-12 11:07 98,896 --a------ C:\WINDOWS\SYSTEM32\vakokfxc.dll
2008-05-12 11:07 . 2008-05-12 11:07 83,008 --a------ C:\WINDOWS\SYSTEM32\grubhivi.dll
2008-05-12 11:06 . 2008-05-12 11:15 109,861 --a------ C:\WINDOWS\BMa7aba957.xml
2008-05-12 11:06 . 2008-05-12 11:06 90,176 --a------ C:\WINDOWS\SYSTEM32\nraroqvm.dll
2008-05-12 11:06 . 2008-05-12 11:06 2,048 --a------ C:\WINDOWS\SYSTEM32\kiabfhpn.exe
2008-05-11 10:34 . 2008-05-11 10:34 <DIR> d-------- C:\Deckard
2008-05-11 00:43 . 2008-05-11 00:43 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-05-11 00:42 . 2008-05-11 00:47 <DIR> d-------- C:\Documents and Settings\Almaaz Karachi\.housecall6.6
2008-05-08 18:28 . 2008-05-08 18:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-08 18:28 . 2008-05-08 18:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-02 21:59 . 2008-05-02 22:45 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-02 21:58 . 2008-05-02 22:04 <DIR> d-------- C:\WINDOWS\AiOTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 15:01 --------- d-----w C:\Documents and Settings\Almaaz Karachi\Application Data\Azureus
2008-05-05 16:19 28,164 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-05-03 04:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 04:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-03 03:45 --------- d-----w C:\Program Files\Google
2008-05-03 03:40 --------- d-----w C:\Program Files\Microsoft Works
2008-05-03 03:30 --------- d-----w C:\Program Files\Kodak EasyShare Software
2008-05-03 03:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-11-13 02:27 81,968 ----a-w C:\Documents and Settings\Almaaz Karachi\Application Data\GDIPFONTCACHEV1.DAT
2001-05-24 15:59 162,304 ----a-w C:\Program Files\UNWISE.EXE
2004-01-23 22:30 220 --sh--w C:\WINDOWS\dwin.sys
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sha-w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-05-17 11:28 549,376 --sha-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sha-w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_11.00.14.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 15:42:32 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-12 22:54:16 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4f2afca-bac6-43d8-984d-c9e6fe3a53a0}]
2008-05-12 11:07 98896 --a------ C:\WINDOWS\system32\vakokfxc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 17:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 17:15 610304]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"a4989acb"="C:\WINDOWS\system32\grubhivi.dll" [2008-05-12 11:07 83008]
"BMa7aba957"="C:\WINDOWS\system32\nraroqvm.dll" [2008-05-12 11:06 90176]

C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Startup\
Hewlett-Packard Recorder.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe [2000-08-23 12:48:42 67584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"VIDC.I263"= i263_32.drv
"MSVideo"= CSvidcap.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Almaaz Karachi^Start Menu^Programs^Startup^Palm Registration.lnk]
path=C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Startup\Palm Registration.lnk
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2004-11-06 12:27 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
--a------ 2008-04-09 22:57 1557176 C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2001-09-04 14:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2002-05-08 08:15 286720 C:\WINDOWS\SYSTEM32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a------ 2002-01-31 21:16 189476 C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Exam4]
c:\Progra~1\Extegrity\Exam4\exam4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-06-11 09:58 147456 C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfferApp]
C:\Program Files\OfferApp\OfferApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 19:40 1421824 C:\CNET Downloads\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
--a------ 2001-04-02 01:29 77887 C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Plugin Install]
--a------ 2007-04-02 21:38 49152 C:\Program Files\QuickTime\Plugins\DeleteMe1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-01-08 14:54 204845 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-01-08 14:54 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-12 12:24 106557 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\Program Files\WeatherCast\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ScsiAccess"=2 (0x2)
"rpcapd"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\CNET Downloads\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\CNET Downloads\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"C:\\CNET Downloads\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Corel\\WordPerfect Office 2002\\Register\\NAVBrowser.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49125:TCP"= 49125:TCP:azureus

R2 AnonAswSvc;Anonymizer Anti-Spyware Service;"C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe" [2007-10-22 04:12]
R2 AnonMgmtSvc;Anonymizer Management Service;"C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe" [2007-10-22 04:12]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
S3 Ich;Ich;C:\WINDOWS\system32\DRIVERS\Ich.sys [2001-10-15 04:34]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
S3 RioDrv;Rio600 driver;C:\WINDOWS\system32\Drivers\RioDrv.sys [2001-08-17 17:00]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 00:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 15:56:36 C:\WINDOWS\Tasks\Anonymizer scan for spyware.job"
- C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe
"2008-05-09 00:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-05-05 15:02:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 18:34:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ivihburg.ini 294 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\grubhivi.dll
-> C:\WINDOWS\system32\nraroqvm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-12 18:45:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 23:45:19
ComboFix2.txt 2008-05-12 16:02:52

Pre-Run: 595,017,728 bytes free
Post-Run: 585,183,232 bytes free

230 --- E O F --- 2008-04-29 08:49:46









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:26 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\CNETDO~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {0a35a3ef-6e9c-d489-8d34-6cabacfa2f4c} - {c4f2afca-bac6-43d8-984d-c9e6fe3a53a0} - C:\WINDOWS\system32\vakokfxc.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [a4989acb] rundll32.exe "C:\WINDOWS\system32\grubhivi.dll",b
O4 - HKLM\..\Run: [BMa7aba957] Rundll32.exe "C:\WINDOWS\system32\nraroqvm.dll",s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O23 - Service: Anonymizer Anti-Spyware Service (AnonAswSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 5355 bytes

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 12 May 2008 - 10:49 PM

Hello greenterra10,




You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\ivihburg.ini

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.





Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\SYSTEM32\vakokfxc.dll
C:\WINDOWS\SYSTEM32\grubhivi.dll
C:\WINDOWS\BMa7aba957.xml
C:\WINDOWS\SYSTEM32\nraroqvm.dll
C:\WINDOWS\SYSTEM32\kiabfhpn.exe
C:\WINDOWS\pskt.ini

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4f2afca-bac6-43d8-984d-c9e6fe3a53a0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a4989acb"=-  
"BMa7aba957"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 12 May 2008 - 10:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 greenterra10

greenterra10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 13 May 2008 - 12:23 AM

Thanks for the quick response SifuMike!

Symptom Update:
No noticeable problems loading the previously mentioned web pages.
No more random pop-ups trying to sell me spyware.
No more fake system warnings regarding viruses or spyware (via dialog box, pop-up, or icon in my system tray).

I don't know if this matters of not, but upon reboot prior to running the 3 programs you asked me to run, 2 alert dialog boxes came up. Both were titled "RUNDLL Window". The first had the message, "Error loading C:\WINDOWS\system32\grubhivi.dll. Invalid access to memory location." The second box had the message, ""Error loading C:\WINDOWS\system32\nraroqvm.dll. Invalid access to memory location."

No messages popped upon reboot after I ran the three things you mentioned.

I've posted the Virustotal.com scan log below, followed by the ComboFix log, and then the HijackThis log.





VIRUSTOTAL.COM SCAN:

Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.10 -
AntiVir 7.8.0.17 2008.05.12 -
Authentium 5.1.0.4 2008.05.13 -
Avast 4.8.1169.0 2008.05.12 -
AVG 7.5.0.516 2008.05.12 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.12 -
ClamAV 0.92.1 2008.05.12 -
DrWeb 4.44.0.09170 2008.05.12 -
eSafe 7.0.15.0 2008.05.12 -
eTrust-Vet 31.4.5783 2008.05.12 -
Ewido 4.0 2008.05.12 -
F-Prot 4.4.2.54 2008.05.13 -
F-Secure 6.70.13260.0 2008.05.13 -
Fortinet 3.14.0.0 2008.05.13 -
GData 2.0.7306.1023 2008.05.12 -
Ikarus T3.1.1.26.0 2008.05.13 -
Kaspersky 7.0.0.125 2008.05.13 -
McAfee 5293 2008.05.12 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3094 2008.05.12 -
Norman 5.80.02 2008.05.09 -
Panda 9.0.0.4 2008.05.12 -
Prevx1 V2 2008.05.13 -
Rising 20.44.10.00 2008.05.13 -
Sophos 4.29.0 2008.05.13 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.13 -
TheHacker 6.2.92.307 2008.05.12 -
VBA32 3.12.6.5 2008.05.12 -
VirusBuster 4.3.26:9 2008.05.12 -
Webwasher-Gateway 6.6.2 2008.05.12 -

Additional information
File size: 474 bytes
MD5...: cabd7295db1eab45ecabb2dad4cf5c12
SHA1..: 66c4536f2638ae764256e30fb509d6f295d3a194
SHA256: 1fbc82ac74917588937da79353d1d1eb368d63a0be81ad16b71ca061187be118
SHA512: 5a2752476ff53a3c5ee7171f2153dcf41700e376686b2e02d3455e3d5b2aa9fe
f47e733eb372f44e7964224e67dcb7ada18544d74af3c73235f955175bd40a04
PEiD..: -
PEInfo: -




ComboFix 08-05-11.1 - Almaaz Karachi 2008-05-12 23:35:12.3 - NTFSx86
Running from: C:\Documents and Settings\Almaaz Karachi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Almaaz Karachi\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMa7aba957.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\grubhivi.dll
C:\WINDOWS\SYSTEM32\kiabfhpn.exe
C:\WINDOWS\SYSTEM32\nraroqvm.dll
C:\WINDOWS\SYSTEM32\vakokfxc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMa7aba957.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\grubhivi.dll
C:\WINDOWS\SYSTEM32\kiabfhpn.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\nraroqvm.dll
C:\WINDOWS\SYSTEM32\vakokfxc.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 18:36 . 2008-05-12 19:22 474 ---hs---- C:\WINDOWS\SYSTEM32\ivihburg.ini
2008-05-11 10:34 . 2008-05-11 10:34 <DIR> d-------- C:\Deckard
2008-05-11 00:43 . 2008-05-11 00:43 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-05-11 00:42 . 2008-05-11 00:47 <DIR> d-------- C:\Documents and Settings\Almaaz Karachi\.housecall6.6
2008-05-08 18:28 . 2008-05-08 18:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-08 18:28 . 2008-05-08 18:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-02 21:59 . 2008-05-02 22:45 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-02 21:58 . 2008-05-02 22:04 <DIR> d-------- C:\WINDOWS\AiOTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 15:01 --------- d-----w C:\Documents and Settings\Almaaz Karachi\Application Data\Azureus
2008-05-05 16:19 28,164 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-05-03 04:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 04:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-03 03:45 --------- d-----w C:\Program Files\Google
2008-05-03 03:40 --------- d-----w C:\Program Files\Microsoft Works
2008-05-03 03:30 --------- d-----w C:\Program Files\Kodak EasyShare Software
2008-05-03 03:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-11-13 02:27 81,968 ----a-w C:\Documents and Settings\Almaaz Karachi\Application Data\GDIPFONTCACHEV1.DAT
2001-05-24 15:59 162,304 ----a-w C:\Program Files\UNWISE.EXE
2004-01-23 22:30 220 --sh--w C:\WINDOWS\dwin.sys
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sha-w C:\WINDOWS\SYSTEM32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2007-05-17 11:28 549,376 --sha-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\SYSTEM32\olepro32.dll
2004-08-04 07:56 11,776 --sha-w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_11.00.14.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 15:42:32 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-13 04:42:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 17:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 17:15 610304]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Startup\
Hewlett-Packard Recorder.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe [2000-08-23 12:48:42 67584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Search"= 2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"VIDC.I263"= i263_32.drv
"MSVideo"= CSvidcap.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Almaaz Karachi^Start Menu^Programs^Startup^Palm Registration.lnk]
path=C:\Documents and Settings\Almaaz Karachi\Start Menu\Programs\Startup\Palm Registration.lnk
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2004-11-06 12:27 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
--a------ 2008-04-09 22:57 1557176 C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2001-09-04 14:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2002-05-08 08:15 286720 C:\WINDOWS\SYSTEM32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a------ 2002-01-31 21:16 189476 C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Exam4]
c:\Progra~1\Extegrity\Exam4\exam4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-06-11 09:58 147456 C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfferApp]
C:\Program Files\OfferApp\OfferApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 19:40 1421824 C:\CNET Downloads\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
--a------ 2001-04-02 01:29 77887 C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Plugin Install]
--a------ 2007-04-02 21:38 49152 C:\Program Files\QuickTime\Plugins\DeleteMe1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-01-08 14:54 204845 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-01-08 14:54 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-12 12:24 106557 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\Program Files\WeatherCast\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ScsiAccess"=2 (0x2)
"rpcapd"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\CNET Downloads\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\CNET Downloads\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"C:\\CNET Downloads\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Corel\\WordPerfect Office 2002\\Register\\NAVBrowser.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Anonymizer\\Anonymizer Software\\Common\\AnonProxy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49125:TCP"= 49125:TCP:azureus

R2 AnonAswSvc;Anonymizer Anti-Spyware Service;"C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe" [2007-10-22 04:12]
R2 AnonMgmtSvc;Anonymizer Management Service;"C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe" [2007-10-22 04:12]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
S3 Ich;Ich;C:\WINDOWS\system32\DRIVERS\Ich.sys [2001-10-15 04:34]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
S3 RioDrv;Rio600 driver;C:\WINDOWS\system32\Drivers\RioDrv.sys [2001-08-17 17:00]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 00:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 15:56:36 C:\WINDOWS\Tasks\Anonymizer scan for spyware.job"
- C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe
"2008-05-09 00:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-05-05 15:02:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 23:43:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [372] 0x8328A5D0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2008-05-12 23:57:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 04:57:11
ComboFix2.txt 2008-05-12 23:45:49
ComboFix3.txt 2008-05-12 16:02:52

Pre-Run: 560,955,392 bytes free
Post-Run: 546,824,192 bytes free

218 --- E O F --- 2008-04-29 08:49:46







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:01 AM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\CNETDO~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O23 - Service: Anonymizer Anti-Spyware Service (AnonAswSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 5033 bytes

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 13 May 2008 - 12:44 AM

Hello greenterra10,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: (no name) - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab


These are optional fixes. The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
(Description: Checks for updates to MS Works. Unnecessary. Removing this entry will free up some system resources. )

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
(Description: (Description: Apple's QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward). Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog - it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems. Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise - what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video. There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray. )

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 greenterra10

greenterra10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 13 May 2008 - 09:51 AM

Regarding this part:

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"


When I open HJT, the Main Menu appears with 6 option boxes - "Do a system scan and save a logfile", "Do a system scan only", "View the list of backups", "Open the misc tools section", "Open online HJT quickstart", and "None of the above, just start the program".

Where do I find the "fix checked" button/check box?

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 13 May 2008 - 11:52 AM

When I open HJT, the Main Menu appears with 6 option boxes - "Do a system scan and save a logfile", "Do a system scan only", "View the list of backups", "Open the misc tools section", "Open online HJT quickstart", and "None of the above, just start the program".



You want the "Do a system scan only" button

Where do I find the "fix checked" button/check box?


At the bottom of the page.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 greenterra10

greenterra10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 13 May 2008 - 05:22 PM

No noticeable problems - computer seems to be running fine now.

I've posted the HijackThis log below.

I've also included results from a Kaspersky online scan (performed after running HJT) indicating stuff is infected (also attached as html file if that is easier for you to read). Are these things to worry about/address?




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:05 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\CNETDO~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\FRU\Remind32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O23 - Service: Anonymizer Anti-Spyware Service (AnonAswSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\AnonASW\AnonAswSvc.exe
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 4970 bytes






KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 13, 2008 5:14:27 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/05/2008
Kaspersky Anti-Virus database records: 770305


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\

Scan Statistics
Total number of scanned objects 57052
Number of viruses found 14
Number of infected objects 54
Number of suspicious objects 0
Duration of the scan process 01:49:29

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\xxxxxx~1\LOCALS~1\Temp\b2new.exe Infected: Trojan-Downloader.Win32.Agent.otg skipped

C:\Deckard\System Scanner\backup\DOCUME~1\xxxxxx~1\LOCALS~1\Temp\BLR2DF.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped

C:\Deckard\System Scanner\backup\DOCUME~1\xxxxxx~1\LOCALS~1\Temp\BLR2DF.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped

C:\Deckard\System Scanner\backup\DOCUME~1\xxxxxx~1\LOCALS~1\Temp\BLR2DF.tmp NSIS: infected - 2 skipped

C:\Deckard\System Scanner\backup\DOCUME~1\xxxxxx~1\LOCALS~1\Temp\ie.exe Infected: Trojan-Clicker.Win32.Delf.yh skipped

C:\Deckard\System Scanner\backup\DOCUME~1\xxxxxx~1\LOCALS~1\Temp\ismtpa15.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.z skipped

C:\Deckard\System Scanner\backup\DOCUME~1\xxxxxx~1\LOCALS~1\Temp\ismtpa15.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.z skipped

C:\Deckard\System Scanner\backup\DOCUME~1\xxxxxx~1\LOCALS~1\Temp\ismtpa15.exe NSIS: infected - 2 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03356/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03356/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03356/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03356/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03356/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03356 RarSFX: infected - 5 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03356 CryptFF.b: infected - 5 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03360/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03360/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03360/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03360/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03360/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03360 RarSFX: infected - 5 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\syswcc32.exe.bac_a03360 CryptFF.b: infected - 5 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\VT334ad.exe.bac_a03360 Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\webhdll.dll.bac_a03360 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\whiehlpr.dll.bac_a03360 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\.housecall6.6\Quarantine\whinstaller.exe.bac_a03360 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\xxxxxx\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\xxxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\xxxxxx\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\xxxxxx\ntuser.dat Object is locked skipped

C:\Documents and Settings\xxxxxx\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir NSIS: infected - 1 skipped

C:\QooBox\Quarantine\C\Program Files\MCROSO~1.NET\notepad.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg skipped

C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\webhdll.dll.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\QooBox\Quarantine\C\WINDOWS\b2new.exe.vir Infected: Trojan-Downloader.Win32.Agent.otg skipped

C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped

C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.cda skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\000060.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\000060.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\000060.exe.vir NSIS: infected - 2 skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\000080.exe.vir/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\000080.exe.vir NSIS: infected - 1 skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wmsdkns.exe.vir Infected: not-virus:Hoax.Win32.Renos.cda skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146818.exe Infected: Trojan-Downloader.Win32.Agent.kwg skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146821.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146855.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146856.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146857.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146858.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146858.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146859.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146859.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146859.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146860.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP937\A0146860.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP939\A0146920.exe Infected: Trojan-Downloader.Win32.Agent.otg skipped

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\change.log Object is locked skipped

C:\WINDOWS\assembly\NativeImages1_v2.0.50727\AnonAswLib\1.0.0.2___58c7c1aa\AnonAswLib.dll_ Object is locked skipped

C:\WINDOWS\assembly\NativeImages1_v2.0.50727\AnonAswSvc\1.0.0.2___f7d9ae30\AnonAswSvc.exe_ Object is locked skipped

C:\WINDOWS\assembly\NativeImages1_v2.0.50727\AnonMgmtSvc\1.0.0.2___5fc57ce2\AnonMgmtSvc.exe_ Object is locked skipped

C:\WINDOWS\assembly\NativeImages1_v2.0.50727\AnonServiceLib\1.0.0.2___41194bdb\AnonServiceLib.dll_ Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\in10b6.dll Infected: Trojan.Win32.Revop.c skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Attached Files


Edited by greenterra10, 14 May 2008 - 11:10 AM.


#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 13 May 2008 - 09:43 PM

Hello greenterra10,

Kaspersky scan found one item to we need to remove. :thumbsup:
All the others were previously quarentined by ComboFix, DSS backup and system Restore folder. We will be deleting ComboFix, DSS and emptying System Restore folder shortly.


Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\in10b6.dll

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 greenterra10

greenterra10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 13 May 2008 - 10:17 PM

Hi SifuMike,

Here are the results of OTMoveIt2:



C:\WINDOWS\SYSTEM32\in10b6.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\in10b6.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05132008_221228

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:03 AM

Posted 13 May 2008 - 11:11 PM

Hi greenterra10,

Please post a fresh Hijackthis log and tell me how your computer is running.

Edited by SifuMike, 13 May 2008 - 11:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users