Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 ec2recol

ec2recol

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 01 June 2008 - 11:15 PM

Random Popups. Random Dll running. Random startup entries. I have been deleting them manually. I have also use various tools to remove them. I have spybot search and destroy program running. and it is able to interfere with the registry change that the virus is making. I am also able to scan the virus and remove them by using spybot but when i restart the pc it all comes back. need serious help on this one.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:03 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 TECH PK-635 PC Camera
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM93ebc65f] Rundll32.exe "C:\WINDOWS\system32\tlubifim.dll",s
O4 - HKCU\..\Run: [QNPlus] C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191862264593
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 5490 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 AM

Posted 01 June 2008 - 11:18 PM

Hello Ec2recol!

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Posted Image

#3 ec2recol

ec2recol
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 01 June 2008 - 11:21 PM

okay. thanks!

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 AM

Posted 02 June 2008 - 08:16 AM

Hello :thumbsup:

Step #1
You have the program Spybot S&D (Teatimer option) running on your machine and that is good. But prior to doing the fix below with HiJackThis it needs to be turned off. Please do the following:
  • Right click the running icon of Spybot's Teatimer, and choose Exit.
Step #2
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Step #3
Rename HijackThis.exe

1. Right click on the HijackThis icon.

Posted Image

2. Select Rename.

Posted Image

3. Now type the following Ec2recol.exe <<< NOTE: make sure to put period before exe when typing.
Hit the enter key on keyboard.

Posted Image

Double click on Ec2recol.exe
Click on Do a system scan and save a logfile. Post log in next reply.


Step #4
Please post a fresh HijackThis log (Ec2recol.exe) and Combofix log back here :)
Posted Image

#5 ec2recol

ec2recol
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 02 June 2008 - 10:45 AM

Here are my new logs.

combo fix

ComboFix 08-06-01.6 - d-jhay 2008-06-02 23:31:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.174 [GMT 8:00]
Running from: C:\Documents and Settings\d-jhay\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\djyqmpol.dll
C:\WINDOWS\system32\kevvktts.dll
C:\WINDOWS\system32\lopmqyjd.ini
C:\WINDOWS\system32\nqmfxdqw.dll
C:\WINDOWS\system32\RrYcIRqr.ini
C:\WINDOWS\system32\RrYcIRqr.ini2
C:\WINDOWS\system32\sBcIOUtv.ini
C:\WINDOWS\system32\sBcIOUtv.ini2
C:\WINDOWS\system32\sttkvvek.ini
C:\WINDOWS\system32\tlubifim.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-02 12:10 . 2008-06-02 12:10 0 --a------ C:\WINDOWS\BM93ebc65f.xml
2008-06-02 12:09 . 2008-06-02 12:09 275,456 --a------ C:\WINDOWS\system32\rqRIcYrR.dll
2008-06-02 11:42 . 2008-06-02 11:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 11:42 . 2008-06-02 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 11:36 . 2008-06-02 11:36 <DIR> d-------- C:\Deckard
2008-06-01 01:20 . 2008-06-01 01:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-01 01:08 . 2008-06-01 01:09 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-31 19:42 . 2008-05-31 19:42 104,448 --a------ C:\WINDOWS\system32\cjaaicay.dll_old
2008-05-31 18:29 . 2008-05-31 19:39 216,427 --a------ C:\WINDOWS\system32\byXnopQk.dll_old
2008-05-31 16:44 . 2008-06-02 10:40 327 --a------ C:\WINDOWS\wininit.ini
2008-05-31 16:16 . 2008-05-31 16:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-31 16:16 . 2008-05-31 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 15:42 . 2008-05-31 15:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 15:12 . 2008-05-31 15:12 57,344 --a------ C:\WINDOWS\system32\efcCuTNg.dll_old
2008-05-31 14:49 . 2008-06-01 01:28 <DIR> d-------- C:\Documents and Settings\d-jhay\.housecall6.6
2008-05-31 14:35 . 2008-05-31 15:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-31 14:17 . 2008-05-31 14:17 59,392 --a------ C:\WINDOWS\system32\opnlKaBu.dll_old
2008-05-31 14:16 . 2008-05-31 14:16 0 --a------ C:\WINDOWS\system32\ownbusuv.tmp
2008-05-31 14:10 . 2008-06-02 23:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-31 14:10 . 2008-05-31 14:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-31 14:07 . 2008-05-31 14:07 59,392 --a------ C:\WINDOWS\system32\qoMfgGwT.dll_old
2008-05-31 14:06 . 2008-05-31 14:06 59,392 --a------ C:\WINDOWS\system32\yayvUoml.dll_old
2008-05-30 22:58 . 2008-05-30 22:58 90,112 --a------ C:\WINDOWS\system32\vusubnwo.dll_old
2008-05-30 22:50 . 2008-05-30 22:51 109,568 --a------ C:\WINDOWS\system32\tgnnubha.dll_old
2008-05-29 22:34 . 2008-05-29 22:34 101,376 --a------ C:\WINDOWS\system32\fqctoyis.dll_old
2008-05-29 22:32 . 2008-05-29 22:32 106,496 --a------ C:\WINDOWS\system32\gooytjgi.dll_old
2008-05-28 23:54 . 1996-12-16 19:30 1,039,360 --a------ C:\WINDOWS\system32\Msjet35.dll
2008-05-28 23:54 . 1996-12-02 19:44 251,664 --a------ C:\WINDOWS\system32\Msrd2x35.dll
2008-05-28 23:53 . 2008-05-28 23:53 <DIR> d-------- C:\Program Files\Epsilon Squared
2008-05-28 23:53 . 1996-11-08 03:48 368,912 --a------ C:\WINDOWS\system32\Vbar332.dll
2008-05-28 23:53 . 1997-01-13 18:18 37,136 --a------ C:\WINDOWS\system32\Msjint35.dll
2008-05-28 23:53 . 1996-12-02 19:44 24,336 --a------ C:\WINDOWS\system32\Msjter35.dll
2008-05-28 23:51 . 2008-05-28 23:51 <DIR> d-------- C:\Documents and Settings\d-jhay\WINDOWS
2008-05-28 23:41 . 2008-05-28 23:41 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-28 22:47 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-28 22:47 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-28 22:36 . 2008-05-28 22:36 97,280 --a------ C:\WINDOWS\system32\svgepumm.dll_old
2008-05-28 22:31 . 2008-05-28 22:31 104,448 --a------ C:\WINDOWS\system32\yesgenya.dll_old
2008-05-28 22:26 . 2008-05-28 22:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-05-28 21:50 . 2008-05-28 21:50 <DIR> d-------- C:\Program Files\ESET
2008-05-28 21:50 . 2008-05-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-26 20:42 . 2008-05-26 20:42 93,696 --a------ C:\WINDOWS\system32\wnjiinnc.dll_old
2008-05-26 20:34 . 2008-05-26 20:35 108,544 --a------ C:\WINDOWS\system32\wfguaidr.dll_old
2008-05-26 08:15 . 2008-05-27 01:40 <DIR> d-------- C:\Program Files\Panda Security
2008-05-26 08:06 . 2008-05-26 08:13 <DIR> d-------- C:\Program Files\SpyZooka
2008-05-26 08:06 . 2008-05-26 08:06 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-25 20:12 . 2008-05-25 20:12 <DIR> d-------- C:\WINDOWS\system32\vntiho18
2008-05-25 20:12 . 2008-05-25 20:12 28,160 --a------ C:\WINDOWS\system32\opnmJCuR.dll
2008-05-21 21:26 . 2008-05-21 21:26 <DIR> d-------- C:\Program Files\PowerQuest
2008-05-20 20:49 . 2008-05-20 20:49 0 --a------ C:\WINDOWS\PowerReg.dat
2008-05-20 13:46 . <DIR> \\.\con
2008-05-11 10:16 . 2008-05-11 10:16 <DIR> d-------- C:\Program Files\Active GIF Creator 3.1
2008-05-11 10:13 . 2008-05-11 10:13 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-05-09 12:31 . 2008-05-09 12:31 <DIR> d-------- C:\NeverwinterNights
2008-05-08 12:31 . 2008-05-08 12:31 <DIR> d-------- C:\Documents and Settings\loneza\Application Data\Command & Conquer 3 Tiberium Wars
2008-05-07 18:40 . 2008-05-07 19:06 <DIR> d-------- C:\12312
2008-05-07 17:54 . 2008-05-07 17:54 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-06 14:32 . 2008-05-06 14:32 <DIR> d-------- C:\WINDOWS\~cua
2008-05-06 14:32 . 2008-05-06 14:32 94,208 --a------ C:\WINDOWS\system32\SSW32N50.dll
2008-05-06 14:32 . 2008-05-06 14:32 31,929 --a------ C:\WINDOWS\system32\SSNDIS3.VXD
2008-05-06 14:32 . 2008-05-06 14:32 17,169 --a------ C:\WINDOWS\system32\SSNDIS5.sys
2008-05-06 14:32 . 2008-05-06 14:32 16,544 --a------ C:\WINDOWS\system32\SSNDIS4.sys
2008-05-06 13:38 . 2008-05-06 13:38 28 --a------ C:\WINDOWS\pdf995.ini
2008-05-06 13:36 . 2008-05-06 13:39 <DIR> d-------- C:\Program Files\pdf995
2008-05-06 13:36 . 2008-05-26 07:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-05-06 13:36 . 2008-05-06 13:38 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-05-06 13:36 . 2008-05-06 13:38 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-05-06 13:36 . 2008-05-26 07:45 59 --a------ C:\WINDOWS\wpd99.drv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 15:36 --------- d-----w C:\Program Files\FlashGet
2008-05-31 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-28 14:36 --------- d-----w C:\Program Files\Symantec Client Security
2008-05-28 14:36 --------- d-----w C:\Program Files\Symantec
2008-05-28 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 16:46 --------- d-----w C:\Program Files\LimeWire
2008-05-25 14:30 --------- d-----w C:\Documents and Settings\loneza\Application Data\LimeWire
2008-05-24 13:18 --------- d-----w C:\Documents and Settings\loneza\Application Data\Skype
2008-05-21 13:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-09 04:43 --------- d-----w C:\Program Files\MagicDisc
2008-05-01 07:53 --------- d-----w C:\Documents and Settings\loneza\Application Data\uTorrent
2008-04-27 05:50 --------- d-----w C:\Program Files\Codemasters
2008-04-22 09:53 --------- d-----w C:\Documents and Settings\loneza\Application Data\vlc
2008-04-20 02:33 --------- d-----w C:\Program Files\Buddy Spy
2008-04-18 11:18 --------- d-----w C:\Program Files\DivX
2008-04-14 11:14 --------- d-----w C:\Program Files\PPLive
2008-04-13 11:24 --------- d-----w C:\Documents and Settings\loneza\Application Data\Winamp
2008-04-12 04:59 --------- d-----w C:\Program Files\Winamp
2008-04-07 12:49 --------- d-----w C:\Program Files\VideoLAN
2008-04-07 05:32 --------- d-----w C:\Program Files\Power Tab Software
2008-04-06 16:46 --------- d-----w C:\Program Files\PopCap Games
2008-04-06 16:46 --------- d-----w C:\Program Files\MagicISO
2008-04-06 11:33 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-06 11:33 --------- d-----w C:\Program Files\Common Files\Real
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-03 13:36 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-01-18 15:58 6,144 --sha-w C:\Program Files\Thumbs.db
2007-10-10 14:39 2,828 ----a-w C:\Program Files\doom.gif
.

((((((((((((((((((((((((((((( snapshot@2008-06-02_11.04.39.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-02 02:59:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 15:37:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F357E98-AE47-45CB-B517-6506692D775E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3095D50F-F1BA-4BBC-A54D-819EEB7E0898}]
2008-05-25 20:12 28160 --a------ C:\WINDOWS\system32\opnmJCuR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF7637E2-6048-4F44-8CBB-E04191E70AD1}]
2008-06-02 12:09 275456 --a------ C:\WINDOWS\system32\rqRIcYrR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QNPlus"="C:\Program Files\Conceptworld\QNPlus\QNPlus.exe" [2005-09-14 11:40 692224]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 02:31 1372160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-06-26 14:58 2165272]
"Flashget"="C:\PROGRA~1\FlashGet\flashget.exe" [2007-09-25 16:10 2007088]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-02-24 16:00 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-06 19:33 185896]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53 88024]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-08-28 18:03 4579328]
"BM93ebc65f"="C:\WINDOWS\system32\rwihrukg.dll" [2008-06-02 23:40 104448]
"90d8f5c3"="C:\WINDOWS\system32\hequoobw.dll" [2008-06-02 23:41 95232]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3095D50F-F1BA-4BBC-A54D-819EEB7E0898}"= C:\WINDOWS\system32\opnmJCuR.dll [2008-05-25 20:12 28160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmJCuR]
opnmJCuR.dll 2008-05-25 20:12 28160 C:\WINDOWS\system32\opnmJCuR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm
"VIDC.JPEG"= JpegCode.dll
"VIDC.MJPG"= JpegCode.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqRIcYrR

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InstallWatch Pro.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InstallWatch Pro.lnk
backup=C:\WINDOWS\pss\InstallWatch Pro.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^loneza^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\loneza\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QNPlus]
--a------ 2005-09-14 11:40 692224 C:\Program Files\Conceptworld\QNPlus\QNPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spontania Video Collaboration]
--a------ 2007-10-18 19:03 905324 C:\Program Files\Spontania Video Collaboration\SpontaniaVideoCollaboration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2006-05-25 02:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-06 19:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VRS]
--a------ 2008-03-25 21:56 610308 C:\Program Files\NCH Swift Sound\VRS\vrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ISSVC"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"VRSService"=2 (0x2)
"rpcapd"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Defender\\MSASCui.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Conceptworld\\QNPlus\\QNPlus.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:*:Disabled:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:*:Disabled:Express Talk Sip Incoming Calls (UDP)
"94:TCP"= 94:TCP:*:Disabled:VRS Recording System Web Control Panel

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 09:10]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 16:14]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-04 20:00]
S2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys []
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\AMPED\WarRock\System\GameGuard\dump_wmimmc.sys []
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-07-06 09:48]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-26 01:31]
S3 SSNDIS5;SSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\SSNDIS5.SYS [2008-05-06 14:32]
S4 VRSService;VRS Recording System;"C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0df3ec8f-7413-11dc-83c5-001966339883}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bd4811c-9cb9-11dc-90cc-001966339883}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 15:40:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 23:38:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\RrYcIRqr.ini 347 bytes
C:\WINDOWS\system32\RrYcIRqr.ini2 347 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\opnmJCuR.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\hequoobw.dll
-> C:\WINDOWS\system32\rwihrukg.dll
-> C:\WINDOWS\system32\rqRIcYrR.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-02 23:43:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-02 15:43:21
ComboFix2.txt 2008-06-02 03:06:04

Pre-Run: 15,713,886,208 bytes free
Post-Run: 15,727,837,184 bytes free

339


HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:39 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\d-jhay\Desktop\ec2recol.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F357E98-AE47-45CB-B517-6506692D775E} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3095D50F-F1BA-4BBC-A54D-819EEB7E0898} - C:\WINDOWS\system32\opnmJCuR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\FindeXer\FindeXer.dll
O2 - BHO: (no name) - {FF7637E2-6048-4F44-8CBB-E04191E70AD1} - C:\WINDOWS\system32\rqRIcYrR.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 TECH PK-635 PC Camera
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [BM93ebc65f] Rundll32.exe "C:\WINDOWS\system32\rwihrukg.dll",s
O4 - HKLM\..\Run: [90d8f5c3] rundll32.exe "C:\WINDOWS\system32\hequoobw.dll",b
O4 - HKCU\..\Run: [QNPlus] C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191862264593
O20 - Winlogon Notify: opnmJCuR - C:\WINDOWS\SYSTEM32\opnmJCuR.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 7092 bytes

#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 AM

Posted 02 June 2008 - 12:55 PM

Hello

Step #1
You have the program Spybot S&D (Teatimer option) running on your machine and that is good. But prior to doing the fix below with HiJackThis it needs to be turned off. Please do the following:
  • Right click the running icon of Spybot's Teatimer, and choose Exit.
Step #2
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

SpyZooka

Step #3
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {2F357E98-AE47-45CB-B517-6506692D775E} - (no file)
O2 - BHO: (no name) - {3095D50F-F1BA-4BBC-A54D-819EEB7E0898} - C:\WINDOWS\system32\opnmJCuR.dll
O2 - BHO: (no name) - {FF7637E2-6048-4F44-8CBB-E04191E70AD1} - C:\WINDOWS\system32\rqRIcYrR.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [BM93ebc65f] Rundll32.exe "C:\WINDOWS\system32\rwihrukg.dll",s
O4 - HKLM\..\Run: [90d8f5c3] rundll32.exe "C:\WINDOWS\system32\hequoobw.dll",b
O20 - Winlogon Notify: opnmJCuR - C:\WINDOWS\SYSTEM32\opnmJCuR.dll


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


Step #4
Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\BM93ebc65f.xml
C:\WINDOWS\system32\rqRIcYrR.dll
C:\WINDOWS\system32\cjaaicay.dll_old
C:\WINDOWS\system32\byXnopQk.dll_old
C:\WINDOWS\system32\efcCuTNg.dll_old
C:\WINDOWS\system32\opnlKaBu.dll_old
C:\WINDOWS\system32\ownbusuv.tmp
C:\WINDOWS\system32\qoMfgGwT.dll_old
C:\WINDOWS\system32\yayvUoml.dll_old
C:\WINDOWS\system32\vusubnwo.dll_old
C:\WINDOWS\system32\tgnnubha.dll_old
C:\WINDOWS\system32\fqctoyis.dll_old
C:\WINDOWS\system32\gooytjgi.dll_old
C:\WINDOWS\system32\svgepumm.dll_old
C:\WINDOWS\system32\yesgenya.dll_old
C:\WINDOWS\system32\wnjiinnc.dll_old
C:\WINDOWS\system32\wfguaidr.dll_old
C:\WINDOWS\system32\opnmJCuR.dll
C:\WINDOWS\system32\muzika.xm
C:\WINDOWS\system32\RrYcIRqr.ini

Folder::
C:\Program Files\SpyZooka
C:\WINDOWS\system32\vntiho18

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3095D50F-F1BA-4BBC-A54D-819EEB7E0898}"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Step #5
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step #6
Looks that you have illegal copy of nod32. So please remove it now and download one of these antiviruses:
Step #7
Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

[color=#CC0000]Step #8[color]
Please post Combofix log, Mbam log and a fresh HijackThis log back here :thumbsup:
Posted Image

#7 ec2recol

ec2recol
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 02 June 2008 - 09:12 PM

Im done with the instructions and I am seeing great changes. Here are my new logs.

COMBOFIX

ComboFix 08-06-01.6 - d-jhay 2008-06-03 9:06:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.133 [GMT 8:00]
Running from: C:\Documents and Settings\d-jhay\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\d-jhay\Desktop\CFSCript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM93ebc65f.xml
C:\WINDOWS\system32\byXnopQk.dll_old
C:\WINDOWS\system32\cjaaicay.dll_old
C:\WINDOWS\system32\efcCuTNg.dll_old
C:\WINDOWS\system32\fqctoyis.dll_old
C:\WINDOWS\system32\gooytjgi.dll_old
C:\WINDOWS\system32\muzika.xm
C:\WINDOWS\system32\opnlKaBu.dll_old
C:\WINDOWS\system32\opnmJCuR.dll
C:\WINDOWS\system32\ownbusuv.tmp
C:\WINDOWS\system32\qoMfgGwT.dll_old
C:\WINDOWS\system32\rqRIcYrR.dll
C:\WINDOWS\system32\RrYcIRqr.ini
C:\WINDOWS\system32\svgepumm.dll_old
C:\WINDOWS\system32\tgnnubha.dll_old
C:\WINDOWS\system32\vusubnwo.dll_old
C:\WINDOWS\system32\wfguaidr.dll_old
C:\WINDOWS\system32\wnjiinnc.dll_old
C:\WINDOWS\system32\yayvUoml.dll_old
C:\WINDOWS\system32\yesgenya.dll_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SpyZooka
C:\WINDOWS\BM93ebc65f.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXnopQk.dll_old
C:\WINDOWS\system32\cjaaicay.dll_old
C:\WINDOWS\system32\efcCuTNg.dll_old
C:\WINDOWS\system32\fqctoyis.dll_old
C:\WINDOWS\system32\gooytjgi.dll_old
C:\WINDOWS\system32\muzika.xm
C:\WINDOWS\system32\opnlKaBu.dll_old
C:\WINDOWS\system32\opnmJCuR.dll
C:\WINDOWS\system32\ownbusuv.tmp
C:\WINDOWS\system32\plomlhss.exe
C:\WINDOWS\system32\qoMfgGwT.dll_old
C:\WINDOWS\system32\rqRIcYrR.dll
C:\WINDOWS\system32\RrYcIRqr.ini
C:\WINDOWS\system32\RrYcIRqr.ini2
C:\WINDOWS\system32\rwihrukg.dll
C:\WINDOWS\system32\svgepumm.dll_old
C:\WINDOWS\system32\tgnnubha.dll_old
C:\WINDOWS\system32\vntiho18
C:\WINDOWS\system32\vusubnwo.dll_old
C:\WINDOWS\system32\wboouqeh.ini
C:\WINDOWS\system32\wfguaidr.dll_old
C:\WINDOWS\system32\wnjiinnc.dll_old
C:\WINDOWS\system32\yayvUoml.dll_old
C:\WINDOWS\system32\yesgenya.dll_old

.
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-02 11:42 . 2008-06-02 11:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 11:42 . 2008-06-02 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 11:36 . 2008-06-02 11:36 <DIR> d-------- C:\Deckard
2008-06-01 01:20 . 2008-06-01 01:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-01 01:08 . 2008-06-01 01:09 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-31 16:44 . 2008-06-02 10:40 327 --a------ C:\WINDOWS\wininit.ini
2008-05-31 16:16 . 2008-05-31 16:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-31 16:16 . 2008-05-31 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 15:42 . 2008-05-31 15:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 14:49 . 2008-06-01 01:28 <DIR> d-------- C:\Documents and Settings\d-jhay\.housecall6.6
2008-05-31 14:35 . 2008-05-31 15:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-31 14:10 . 2008-06-03 09:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-31 14:10 . 2008-05-31 14:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-28 23:54 . 1996-12-16 19:30 1,039,360 --a------ C:\WINDOWS\system32\Msjet35.dll
2008-05-28 23:54 . 1996-12-02 19:44 251,664 --a------ C:\WINDOWS\system32\Msrd2x35.dll
2008-05-28 23:53 . 2008-05-28 23:53 <DIR> d-------- C:\Program Files\Epsilon Squared
2008-05-28 23:53 . 1996-11-08 03:48 368,912 --a------ C:\WINDOWS\system32\Vbar332.dll
2008-05-28 23:53 . 1997-01-13 18:18 37,136 --a------ C:\WINDOWS\system32\Msjint35.dll
2008-05-28 23:53 . 1996-12-02 19:44 24,336 --a------ C:\WINDOWS\system32\Msjter35.dll
2008-05-28 23:51 . 2008-05-28 23:51 <DIR> d-------- C:\Documents and Settings\d-jhay\WINDOWS
2008-05-28 23:41 . 2008-05-28 23:41 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-28 22:47 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-28 22:47 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-28 22:26 . 2008-05-28 22:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-05-28 21:50 . 2008-05-28 21:50 <DIR> d-------- C:\Program Files\ESET
2008-05-28 21:50 . 2008-05-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-26 08:15 . 2008-05-27 01:40 <DIR> d-------- C:\Program Files\Panda Security
2008-05-26 08:06 . 2008-05-26 08:06 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-21 21:26 . 2008-05-21 21:26 <DIR> d-------- C:\Program Files\PowerQuest
2008-05-20 20:49 . 2008-05-20 20:49 0 --a------ C:\WINDOWS\PowerReg.dat
2008-05-20 13:46 . <DIR> \\.\con
2008-05-11 10:16 . 2008-05-11 10:16 <DIR> d-------- C:\Program Files\Active GIF Creator 3.1
2008-05-09 12:31 . 2008-05-09 12:31 <DIR> d-------- C:\NeverwinterNights
2008-05-08 12:31 . 2008-05-08 12:31 <DIR> d-------- C:\Documents and Settings\loneza\Application Data\Command & Conquer 3 Tiberium Wars
2008-05-07 18:40 . 2008-05-07 19:06 <DIR> d-------- C:\12312
2008-05-07 17:54 . 2008-05-07 17:54 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-06 14:32 . 2008-05-06 14:32 <DIR> d-------- C:\WINDOWS\~cua
2008-05-06 14:32 . 2008-05-06 14:32 94,208 --a------ C:\WINDOWS\system32\SSW32N50.dll
2008-05-06 14:32 . 2008-05-06 14:32 31,929 --a------ C:\WINDOWS\system32\SSNDIS3.VXD
2008-05-06 14:32 . 2008-05-06 14:32 17,169 --a------ C:\WINDOWS\system32\SSNDIS5.sys
2008-05-06 14:32 . 2008-05-06 14:32 16,544 --a------ C:\WINDOWS\system32\SSNDIS4.sys
2008-05-06 13:38 . 2008-05-06 13:38 28 --a------ C:\WINDOWS\pdf995.ini
2008-05-06 13:36 . 2008-05-06 13:39 <DIR> d-------- C:\Program Files\pdf995
2008-05-06 13:36 . 2008-05-26 07:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-05-06 13:36 . 2008-05-06 13:38 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-05-06 13:36 . 2008-05-06 13:38 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-05-06 13:36 . 2008-05-26 07:45 59 --a------ C:\WINDOWS\wpd99.drv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 01:14 --------- d-----w C:\Program Files\FlashGet
2008-05-31 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-28 14:36 --------- d-----w C:\Program Files\Symantec Client Security
2008-05-28 14:36 --------- d-----w C:\Program Files\Symantec
2008-05-28 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 16:46 --------- d-----w C:\Program Files\LimeWire
2008-05-25 14:30 --------- d-----w C:\Documents and Settings\loneza\Application Data\LimeWire
2008-05-24 13:18 --------- d-----w C:\Documents and Settings\loneza\Application Data\Skype
2008-05-21 13:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-09 04:43 --------- d-----w C:\Program Files\MagicDisc
2008-05-01 07:53 --------- d-----w C:\Documents and Settings\loneza\Application Data\uTorrent
2008-04-27 05:50 --------- d-----w C:\Program Files\Codemasters
2008-04-22 09:53 --------- d-----w C:\Documents and Settings\loneza\Application Data\vlc
2008-04-20 02:33 --------- d-----w C:\Program Files\Buddy Spy
2008-04-18 11:18 --------- d-----w C:\Program Files\DivX
2008-04-14 11:14 --------- d-----w C:\Program Files\PPLive
2008-04-13 11:24 --------- d-----w C:\Documents and Settings\loneza\Application Data\Winamp
2008-04-12 04:59 --------- d-----w C:\Program Files\Winamp
2008-04-07 12:49 --------- d-----w C:\Program Files\VideoLAN
2008-04-07 05:32 --------- d-----w C:\Program Files\Power Tab Software
2008-04-06 16:46 --------- d-----w C:\Program Files\PopCap Games
2008-04-06 16:46 --------- d-----w C:\Program Files\MagicISO
2008-04-06 11:33 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-06 11:33 --------- d-----w C:\Program Files\Common Files\Real
2008-03-03 13:36 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-01-18 15:58 6,144 --sha-w C:\Program Files\Thumbs.db
2007-10-10 14:39 2,828 ----a-w C:\Program Files\doom.gif
.

((((((((((((((((((((((((((((( snapshot@2008-06-02_11.04.39.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-02 02:59:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-03 01:15:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F357E98-AE47-45CB-B517-6506692D775E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3095D50F-F1BA-4BBC-A54D-819EEB7E0898}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF7637E2-6048-4F44-8CBB-E04191E70AD1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QNPlus"="C:\Program Files\Conceptworld\QNPlus\QNPlus.exe" [2005-09-14 11:40 692224]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 02:31 1372160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-06-26 14:58 2165272]
"Flashget"="C:\PROGRA~1\FlashGet\flashget.exe" [2007-09-25 16:10 2007088]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-02-24 16:00 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-06 19:33 185896]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53 88024]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-08-28 18:03 4579328]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmJCuR]
opnmJCuR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm
"VIDC.JPEG"= JpegCode.dll
"VIDC.MJPG"= JpegCode.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InstallWatch Pro.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InstallWatch Pro.lnk
backup=C:\WINDOWS\pss\InstallWatch Pro.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^loneza^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\loneza\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QNPlus]
--a------ 2005-09-14 11:40 692224 C:\Program Files\Conceptworld\QNPlus\QNPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spontania Video Collaboration]
--a------ 2007-10-18 19:03 905324 C:\Program Files\Spontania Video Collaboration\SpontaniaVideoCollaboration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a------ 2006-05-25 02:31 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-06 19:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VRS]
--a------ 2008-03-25 21:56 610308 C:\Program Files\NCH Swift Sound\VRS\vrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ISSVC"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"VRSService"=2 (0x2)
"rpcapd"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Defender\\MSASCui.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\Garena.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\Conceptworld\\QNPlus\\QNPlus.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:*:Disabled:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:*:Disabled:Express Talk Sip Incoming Calls (UDP)
"94:TCP"= 94:TCP:*:Disabled:VRS Recording System Web Control Panel

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 09:10]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 16:14]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-04 20:00]
S2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys []
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\AMPED\WarRock\System\GameGuard\dump_wmimmc.sys []
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-07-06 09:48]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-26 01:31]
S3 SSNDIS5;SSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\SSNDIS5.SYS [2008-05-06 14:32]
S4 VRSService;VRS Recording System;"C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0df3ec8f-7413-11dc-83c5-001966339883}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bd4811c-9cb9-11dc-90cc-001966339883}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 01:18:32 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 09:16:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-03 9:20:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-03 01:20:30
ComboFix2.txt 2008-06-02 15:43:33
ComboFix3.txt 2008-06-02 03:06:04

Pre-Run: 15,586,127,872 bytes free
Post-Run: 15,560,278,016 bytes free

317

MBAM LOG

Malwarebytes' Anti-Malware 1.14
Database version: 816

9:29:37 AM 6/3/2008
mbam-log-6-3-2008 (09-29-37).txt

Scan type: Quick Scan
Objects scanned: 39793
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM93ebc65f (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\d-jhay\Local Settings\Temporary Internet Files\Content.IE5\0TB4R2QK\CAQVK9MN (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\d-jhay\Local Settings\Temporary Internet Files\Content.IE5\4LMBC9UZ\CAPSM9DR (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\d-jhay\Local Settings\Temporary Internet Files\Content.IE5\4LMBC9UZ\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Documents and Settings\d-jhay\Local Settings\Temporary Internet Files\Content.IE5\UPBU48OA\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.


HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:31 AM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\d-jhay\Desktop\ec2recol.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F357E98-AE47-45CB-B517-6506692D775E} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3095D50F-F1BA-4BBC-A54D-819EEB7E0898} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\FindeXer\FindeXer.dll
O2 - BHO: (no name) - {FF7637E2-6048-4F44-8CBB-E04191E70AD1} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 TECH PK-635 PC Camera
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [QNPlus] C:\Program Files\Conceptworld\QNPlus\QNPlus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191862264593
O20 - Winlogon Notify: opnmJCuR - opnmJCuR.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7410 bytes

#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:37 AM

Posted 03 June 2008 - 12:03 PM

Hello

Step #1
You have the program Spybot S&D (Teatimer option) running on your machine and that is good. But prior to doing the fix below with HiJackThis it needs to be turned off. Please do the following:
  • Right click the running icon of Spybot's Teatimer, and choose Exit.
Unless it is turned off it could interfere with the fix by HiJackThis.

Step #2
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):


ZoneAlarm Spy Blocker

Step #3
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O2 - BHO: (no name) - {2F357E98-AE47-45CB-B517-6506692D775E} - (no file)
O2 - BHO: (no name) - {3095D50F-F1BA-4BBC-A54D-819EEB7E0898} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FF7637E2-6048-4F44-8CBB-E04191E70AD1} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O20 - Winlogon Notify: opnmJCuR - opnmJCuR.dll (file missing)


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Reboot your computer.

Step #4
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\ZoneAlarmSB

Step #5
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

Step #6
Please post a fresh HijackThis log back here :thumbsup:

How's you pc working now? :)
Posted Image

#9 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:37 PM

Posted 08 June 2008 - 06:57 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users