Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Am Vundolizing!


  • This topic is locked This topic is locked
11 replies to this topic

#1 no more vundo please

no more vundo please

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 17 June 2008 - 12:49 PM

irst of all, Thank you in advance for sparing your time in helping people around the planet and myself.

I have download some application with BitComet and thought it was safe to open as my NOD32 did not worn me anything, so i install. I notice the slow performance imedieatly after installation. Also IE is having some rouge spyware asking me to download a virus protecion from some site but i didnot download it. I know I am in trouble now.

I googled and install Spybot S&D and try to scan and delete it, it did foundVirtumonde malware but of course respawn after reboot.

I also install the MalwareByte Antimalware, scan and delete and again respawn.

Then i logon to safemode and run both Spybot and MalwareByte in hope that running in safe mode would get a better result but again it respawn.

After trying several hours, i decied to download HJT and scan, I did delete something which i am sure it is a virus as it has similar name with the name shown when anti-spyware detect, but it seem that it keep download more into my notebook.

So please help me get rid of these presistant malware and continue with my life

++++++++++++++++++++++++++++++++++++
This is from MalwareByte most update log

Malwarebytes' Anti-Malware 1.17
Database version: 863

0:45:49 18/6/2551
mbam-log-6-18-2008 (00-45-49).txt

Scan type: Quick Scan
Objects scanned: 48377
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45d06dd4-7b73-4ce0-bf56-b3b2142e93fa} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






+++++++++++++++++++++++++++
This is log from HJT most update one as well.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:43:27, on 18/6/2551
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.acdsee.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15208AD2-1331-4184-9E50-73789F2A3D35} - C:\WINDOWS\system32\jkkJyVMd.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {45D06DD4-7B73-4CE0-BF56-B3B2142E93FA} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A201CA2B-DA50-4CB0-8E61-F7BD79ECD141} - C:\WINDOWS\system32\iifebxYQ.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MagicLinker3] C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Winamp Agent.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} (SFLauncherTDE Class) - http://sf.gg.in.th/activex/StarterSFTDE.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://mail.chazinsurance.com/dwa8W.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll
O20 - Winlogon Notify: wintfj32 - C:\WINDOWS\SYSTEM32\wintfj32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 11507 bytes



Please kindly check this for me.

Thank you !

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:29 AM

Posted 19 June 2008 - 11:47 AM

Hello no more vundo please,

Please do everything at this site
Preparation Guide for use before posting about your potential Malware problem
then post the Kaspersky log and the DSS Main and Extra logs.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 no more vundo please

no more vundo please
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 20 June 2008 - 02:02 AM

Hi SifuMike,

Thank you for look up my issue.

I have read the instruction again and here my new post.

From my guess, i think i am infected with
Vundo
Virtumundo

- I have enable firewall
- I have clean several time with Spybot S&D (both in normal boot and savemode)
- I have clean several time with MalwareByte Antimalware (both in normal boot and savemode)

+++++++++++++++++++++++++++++++++++++++++
DSS Scanning Log - Main.txt
+++++++++++++++++++++++++++++++++++++++++
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-20 12:42:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-20 05:42:31 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:36, on 20/6/2551
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.acdsee.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15208AD2-1331-4184-9E50-73789F2A3D35} - C:\WINDOWS\system32\jkkJyVMd.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A201CA2B-DA50-4CB0-8E61-F7BD79ECD141} - C:\WINDOWS\system32\iifebxYQ.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MagicLinker3] C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Winamp Agent.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} (SFLauncherTDE Class) - http://sf.gg.in.th/activex/StarterSFTDE.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://mail.chazinsurance.com/dwa8W.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll
O20 - Winlogon Notify: wintfj32 - C:\WINDOWS\SYSTEM32\wintfj32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 11430 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-25510617-125946-544 O3 - Toolbar: vrmdtneg - {778DC3F7-1699-4A2F-8D32-143C0D00854C} - C:\WINDOWS\vrmdtneg.dll
backup-25510617-130131-793 O21 - SSODL: xvorfwbd - {30152101-8CBA-4D79-8F52-C58822A88CD0} - C:\WINDOWS\xvorfwbd.dll
backup-25510617-130131-815 O21 - SSODL: wpvmqosg - {7C913A0A-1C9D-4CA6-BD0E-281EEAE753EF} - C:\WINDOWS\wpvmqosg.dll
backup-25510617-130422-414 O21 - SSODL: xvorfwbd - {770F7D86-4891-4492-BE0E-508D8CB6F29C} - C:\WINDOWS\xvorfwbd.dll
backup-25510617-131123-487 O21 - SSODL: xvorfwbd - {9D5841D0-EBF0-42EF-9E10-DAC71B898018} - C:\WINDOWS\xvorfwbd.dll
backup-25510617-131351-834 O21 - SSODL: xvorfwbd - {9E943F00-89AF-4FF7-93A1-F1050370D0B2} - C:\WINDOWS\xvorfwbd.dll
backup-25510617-131636-382 O21 - SSODL: xvorfwbd - {CBAB9898-F7D7-45E0-B734-6026BCD6B5DF} - C:\WINDOWS\xvorfwbd.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface x86 Driver>
R2 XAudio - c:\windows\system32\drivers\xaudio.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSF_DPV - c:\windows\system32\drivers\hsx_dpv.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSXHWAZL - c:\windows\system32\drivers\hsxhwazl.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 winachsf - c:\windows\system32\drivers\hsx_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S3 IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - c:\windows\system32\drivers\rtkhdaud.sys (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S2 XAudioService - c:\windows\system32\drivers\xaudio.exe <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-17 19:59:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-17 19:59:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 19:59:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 15:14:42 92544 -----n--- C:\WINDOWS\system32\hqapxegn.dll
2008-06-17 13:59:35 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-17 13:54:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 12:44:30 0 d-------- C:\Program Files\Lavasoft
2008-06-17 12:44:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-17 12:42:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 12:25:04 0 d-------- C:\Program Files\Trend Micro
2008-06-17 11:52:20 92544 -----n--- C:\WINDOWS\system32\bhcufamg.dll
2008-06-17 11:51:35 2635 --ahs---- C:\WINDOWS\system32\QYxbefii.ini2
2008-06-06 12:44:49 0 d-------- C:\Program Files\KRU
2008-06-05 16:57:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\bang
2008-06-05 16:57:19 0 d-------- C:\WINDOWS\Sun
2008-06-05 16:57:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-05 16:56:44 0 d-------- C:\Program Files\Java
2008-06-05 16:54:52 0 d-------- C:\Program Files\Common Files\Java
2008-06-03 09:35:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Good Keywords v2
2008-06-03 09:35:26 0 d-------- C:\Program Files\Softnik Technologies
2008-05-29 18:55:19 16384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-05-29 18:55:19 0 d-------- C:\WINDOWS\system32\Adobe
2008-05-23 08:50:08 0 d-------- C:\Program Files\Citrix
2008-05-20 23:40:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Fugazo
2008-05-20 23:40:10 0 d-------- C:\Program Files\Cooking Academy
2008-05-20 10:32:03 0 d-------- C:\Program Files\Buildalot 2 Town Of The Year


-- Find3M Report ---------------------------------------------------------------

2008-06-20 12:43:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-06-20 12:10:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-06-17 12:42:48 0 d-------- C:\Program Files\Common Files
2008-06-16 13:30:18 0 d-------- C:\Program Files\BitComet
2008-06-10 13:24:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-02 15:31:53 0 d-------- C:\Program Files\Winamp
2008-05-29 18:55:19 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-29 18:54:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-24 11:16:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Screenshot Sender
2008-05-20 19:37:27 0 d-------- C:\Program Files\Magic Farm
2008-05-19 15:43:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Meridian93
2008-05-19 15:42:00 0 d-------- C:\Program Files\ReflexiveArcade
2008-05-19 15:11:46 0 d-------- C:\Program Files\Oberon Media
2008-05-19 14:06:50 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-05-16 17:45:49 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-15 22:04:12 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-05-13 13:17:07 139344 --a------ C:\WINDOWS\system32\DNLEng.dll <Not Verified; ; DNLEng Dynamic Link Library>
2008-05-13 13:17:07 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-13 13:17:07 26 --a------ C:\WINDOWS\dbrmdwb.bat
2008-05-10 16:15:27 28160 --a------ C:\WINDOWS\system32\wintfj32.dll
2008-05-10 16:15:22 28160 --a------ C:\WINDOWS\system32\winemx32.dll
2008-05-08 09:46:27 0 d-------- C:\Program Files\Messenger Plus! Live
2008-05-08 09:46:26 0 d-------- C:\Program Files\Windows Live
2008-05-08 09:46:26 0 d-------- C:\Program Files\MSN Messenger
2008-04-29 11:49:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2008-04-29 11:49:06 0 d-------- C:\Program Files\SmartFTP Client
2008-04-29 11:48:55 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-29 11:29:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\ACD Systems
2008-04-29 09:50:13 0 d--h----- C:\Program Files\Zenographics
2008-04-26 00:33:05 0 d-------- C:\Program Files\Skype
2008-04-26 00:33:01 0 d-------- C:\Program Files\Common Files\Skype
2008-04-25 10:07:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15208AD2-1331-4184-9E50-73789F2A3D35}]
C:\WINDOWS\system32\jkkJyVMd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A201CA2B-DA50-4CB0-8E61-F7BD79ECD141}]
C:\WINDOWS\system32\iifebxYQ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [05/06/2006 09:29 AM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/13/2007 11:38 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/23/2007 03:35 AM]
"nwiz"="nwiz.exe" [05/23/2007 03:35 AM C:\WINDOWS\system32\nwiz.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [12/12/2005 11:39 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"MagicLinker3"="C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe" [05/11/2001 11:31 AM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [11/22/2006 04:31 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/08/2003 03:40 AM]
"CognizanceTS"="C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [12/23/2003 01:12 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [03/08/2008 11:54 AM]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [08/16/2007 11:13 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"@"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [05/02/2007 04:15 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/08/2006 10:42 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [04/03/2008 04:48 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Winamp Agent.lnk - C:\Program Files\Winamp\winampa.exe [20/12/2547 12:41:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [29/8/2550 17:06:58]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/9/2548 22:05:26]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [12/5/2549 13:33:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [16/6/2551 11:54:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
C:\Program Files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll 02/07/2007 09:30 PM 74240 C:\Program Files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintfj32]
wintfj32.dll 05/10/2008 04:15 PM 28160 C:\WINDOWS\system32\wintfj32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance ASBroker ASChannel


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fc35ec2-5642-11dc-bb32-806d6172696f}]
AutoRun\command- E:\bootcd\wintools\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30d8da88-5614-11dc-bb36-001b7731a1bc}]
AutoRun\command- fooool.exe
explore\Command- fooool.exe
open\Command- fooool.exe




-- End of Deckard's System Scanner: finished at 2008-06-20 12:44:14 ------------



+++++++++++++++++++++++++++++++++++++++++
DSS Scanning Log - Extra.txt
+++++++++++++++++++++++++++++++++++++++++


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
CPU 1: Intel® Core™2 Duo CPU T7250 @ 2.00GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 2046.29 MiB / 1439.64 MiB
Pagefile Memory (total/avail): 3428.52 MiB / 2946.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.49 MiB

C: is Fixed (NTFS) - 48.83 GiB total, 39.48 GiB free.
D: is Fixed (NTFS) - 100.21 GiB total, 97.37 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST9160821AS - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 48.83 GiB - C:
\PARTITION1 - Installable File System - 100.21 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"
"C:\\WINDOWS\\system32\\winver.exe"="C:\\WINDOWS\\system32\\winver.exe:*:Enabled:winver"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=XGEN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\XGEN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Bioscrypt\VeriSoft\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=XGEN
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Conexant\SmartAudio\SETUP.EXE -U -ISmartAudio -SM=SMAUDIO.EXE,1801
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee 9 Photo Manager --> MsiExec.exe /I{B2D41883-3BFC-4BA0-A2F6-5A2C9836C238}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Illustrator 10 --> "C:\Program Files\InstallShield Installation Information\{412033BC-44CF-48D9-B813-4B835101F4D3}\setup.exe"
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AuthenTec Fingerprint Sensor Minimum Install --> MsiExec.exe /I{B61B6668-A674-4A06-8405-51944D5CCDDD}
BitComet 1.01 --> C:\Program Files\BitComet\uninst.exe
Color LaserJet 1600 --> C:\Program Files\Zenographics\{FFFB687D-589A-4FD9-96FD-44566CCDB06A}\setup.exe -u "HPCLJKCInstaller.dll=CLJ1600.INF"
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -I*.INF
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE -U -Iwis30B5a.INF
CPL All-in-One --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CPLBonus.inf,CPLuninstall
CyberLink YouCam --> "C:\Program Files\InstallShield Installation Information\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\setup.exe" /z-uninstall
Fingerprint Sensor Minimum Install --> MsiExec.exe /I{F9CCC3C3-F99F-4183-AF6F-F22E36D36FAB}
Good Keywords v2.01.100107 --> "C:\Program Files\Softnik Technologies\Good Keywords v2.01\unins000.exe"
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5045&SUBSYS_103C30B7\UIU32m.EXE -U -IwqcVenz.inf
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP Quick Launch Buttons 6.20 B1 --> C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe -runfromtemp -l0x0009 -removeonly uninst
HP QuickPlay 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
J2SE Runtime Environment 5.0 Update 12 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150120}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Office 2003 Thai User Interface Pack --> MsiExec.exe /I{901E041E-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Motorola SM56 Speakerphone Modem --> rundll32.exe sm56co6a.dll,SM56UnInstaller
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1 --> "C:\Program Files\Eset\unins000.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerQuest PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
REALTEK GbE & FE Ethernet PCI-E NIC Driver --> C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -l0x001e -removeonly
Shattered Galaxy --> C:\PROGRA~1\KRU\SHATTE~1\UNWISE.EXE C:\PROGRA~1\KRU\SHATTE~1\INSTALL.LOG
Skype? 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SmartFTP Client --> MsiExec.exe /I{6F23C1A3-9F62-470C-BD12-B83F04E67865}
SmartFTP Client 3.0 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 3.0 Setup Files\uninst-sftp.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
ThaiSoftware Dictionary V4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Uninst.isu"
VeriSoft Access Manager --> rundll32.exe "C:\Program Files\Bioscrypt\VeriSoft\Bin\SetupHelper.dll",ExecMain /Uninstall {0ABA40AF-288D-41F1-B735-C5155692CD7D}
Winamp --> MsiExec.exe /I{556C9B0C-9BAC-48AC-AC3E-41326A4356F8}
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /us C:\PROGRA~1\DIFX\UninstallScripts\F13EE0B22AD5D087DFA50E3D4D6F13FC1AAAFB32
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type1544 / Error
Event Submitted/Written: 06/20/2008 00:40:01 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1543 / Error
Event Submitted/Written: 06/20/2008 00:37:30 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1538 / Error
Event Submitted/Written: 06/19/2008 04:46:14 PM
Event ID/Source: 1000 / Microsoft Office 11
Event Description:
winword.exe11.0.5604.03f314a2fsaext.dll11.0.5510.03f0fcf5900000607c

Event Record #/Type1537 / Error
Event Submitted/Written: 06/19/2008 03:25:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1536 / Error
Event Submitted/Written: 06/19/2008 11:40:54 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application acrobat.exe, version 8.1.0.137, faulting module acrobat.dll, version 8.1.2.86, fault address 0x0002e4e6.
Processing media-specific event for [acrobat.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6681 / Error
Event Submitted/Written: 06/20/2008 00:10:25 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The XAudioService service failed to start due to the following error:
%%193

Event Record #/Type6677 / Warning
Event Submitted/Written: 06/19/2008 05:43:36 PM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by winlogon.exe.

Event Record #/Type6673 / Warning
Event Submitted/Written: 06/19/2008 04:38:35 PM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom0 during a paging operation.

Event Record #/Type6672 / Warning
Event Submitted/Written: 06/19/2008 04:38:35 PM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom0 during a paging operation.

Event Record #/Type6671 / Warning
Event Submitted/Written: 06/19/2008 04:38:35 PM
Event ID/Source: 51 / Cdrom
Event Description:
An error was detected on device \Device\CdRom0 during a paging operation.



-- End of Deckard's System Scanner: finished at 2008-06-20 12:44:14 ------------

+++++++++++++++++++++++++
Kaspersky scan log
+++++++++++++++++++++++++

Posted Image

**End of scan log**

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:29 AM

Posted 20 June 2008 - 12:00 PM

Hi no more vundo please,

I see you have been playing with Hijackthis and attempted to fix this yourself. :)
HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.

Your Hijackthis changes only make removal more difficult. :thumbup2:


backup-2551-0617125946-544 O3 - Toolbar: vrmdtneg - {778DC3F7-1699-4A2F-8D32-143C0D00854C} - C:\WINDOWS\vrmdtneg.dll


It looks like your computer is set to wrong year. It thinks this year 2551. :thumbsup:
You need to reset the year to 2008. http://support.microsoft.com/kb/307938



We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your NOD Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.


To disable NOD32 Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • click it -> click on the Posted Image button.
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the NOD32 Guard.


To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 20 June 2008 - 12:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 no more vundo please

no more vundo please
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 21 June 2008 - 04:53 AM

Dear SifuMike,

I have install Recovery system and run combofix, below is my log.

+++++++++++++++++++++++++++
ComboFix Log
+++++++++++++++++++++++++++

ComboFix 08-06-20.4 - Administrator 2008-06-21 16:38:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.66.1033.18.1591 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Bioscrypt\VeriSoft\Bin\ASWLNPkg.dll
C:\WINDOWS\system32\bhcufamg.dll
C:\WINDOWS\system32\hqapxegn.dll
C:\WINDOWS\system32\QYxbefii.ini
C:\WINDOWS\system32\QYxbefii.ini2
C:\WINDOWS\system32\winemx32.dll
C:\WINDOWS\system32\wintfj32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASBroker
-------\Service_ASBroker


((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-20 12:42 . 2008-06-20 12:42 <DIR> d-------- C:\Deckard
2008-06-17 19:59 . 2008-06-17 19:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 19:59 . 2008-06-17 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 19:59 . 2008-06-17 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-17 19:59 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 19:59 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 14:31 . 2008-06-17 16:51 456 --a------ C:\WINDOWS\wininit.ini
2008-06-17 13:59 . 2008-06-17 13:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-17 13:54 . 2008-06-17 13:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-17 13:54 . 2008-06-17 14:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 12:44 . 2008-06-17 12:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-17 12:44 . 2008-06-17 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-17 12:42 . 2008-06-17 12:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 12:25 . 2008-06-17 12:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-10 13:42 . 2008-06-10 13:42 746 --a------ C:\ShatteredGalaxy.lnk
2008-06-06 12:44 . 2008-06-10 13:41 <DIR> d-------- C:\Program Files\KRU
2008-06-05 16:57 . 2008-06-05 16:57 <DIR> d-------- C:\WINDOWS\Sun
2008-06-05 16:57 . 2008-06-05 17:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\bang
2008-06-05 16:57 . 2007-05-02 04:01 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-06-05 16:56 . 2008-06-05 16:57 <DIR> d-------- C:\Program Files\Java
2008-06-05 16:54 . 2008-06-05 16:54 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-03 09:35 . 2008-06-03 09:35 <DIR> d-------- C:\Program Files\Softnik Technologies
2008-06-03 09:35 . 2008-06-03 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Good Keywords v2
2008-05-29 18:55 . 2008-05-29 18:55 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-29 18:55 . 2001-10-27 04:16 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-05-23 08:50 . 2008-05-23 08:50 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 09:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-06-21 09:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-06-17 07:31 --------- d-----w C:\Program Files\ESET
2008-06-16 06:30 --------- d-----w C:\Program Files\BitComet
2008-06-16 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-02 08:31 --------- d-----w C:\Program Files\Winamp
2008-05-29 11:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-29 11:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 02:29 --------- d-----w C:\Program Files\Cooking Academy
2008-05-24 04:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Screenshot Sender
2008-05-23 01:49 56,912 ----a-w C:\WINDOWS\java\g2mdlhlpx.exe
2008-05-20 16:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-05-20 12:44 --------- d-----w C:\Program Files\Buildalot 2 Town Of The Year
2008-05-20 12:37 --------- d-----w C:\Program Files\Magic Farm
2008-05-19 08:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Meridian93
2008-05-19 08:42 --------- d-----w C:\Program Files\ReflexiveArcade
2008-05-19 08:11 --------- d-----w C:\Program Files\Oberon Media
2008-05-19 08:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 07:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2008-05-19 07:06 --------- d-----w C:\Program Files\Common Files\Oberon Media
2008-05-16 10:45 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-16 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-16 04:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 15:04 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2008-05-13 06:17 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-05-13 06:17 31,984 ----a-w C:\WINDOWS\dbrmdwb.exe
2008-05-13 06:17 2,004,728 ----a-w C:\WINDOWS\npdbplug.dll
2008-05-13 06:17 139,344 ----a-w C:\WINDOWS\system32\DNLEng.dll
2008-05-13 06:15 832,744 ----a-w C:\WINDOWS\dbplugin.exe
2008-05-08 02:46 --------- d-----w C:\Program Files\Windows Live
2008-05-08 02:46 --------- d-----w C:\Program Files\MSN Messenger
2008-05-08 02:46 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-07 07:05 --------- d-----w C:\Program Files\Unlocker
2008-05-05 14:30 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-05 14:29 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-02 03:52 155,995 ----a-w C:\WINDOWS\java\Packages\4UCD7RT7.ZIP
2008-04-29 04:49 --------- d-----w C:\Program Files\SmartFTP Client
2008-04-29 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SmartFTP
2008-04-29 04:48 --------- d-----w C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-29 04:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ACD Systems
2008-04-29 04:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 04:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 04:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 02:50 --------- d--h--w C:\Program Files\Zenographics
2008-04-25 17:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-25 17:33 --------- d-----w C:\Program Files\Skype
2008-04-25 17:33 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-25 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-25 03:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-06 05:47 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
.

------- Sigcheck -------

2007-07-04 17:27 359040 a14fafd66adbd55a86f17a37e5ec4263 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15208AD2-1331-4184-9E50-73789F2A3D35}]
C:\WINDOWS\system32\jkkJyVMd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A201CA2B-DA50-4CB0-8E61-F7BD79ECD141}]
C:\WINDOWS\system32\iifebxYQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-08-08 22:42 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-03 16:48 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-05-06 09:29 6656]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 11:38 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-23 03:35 8433664]
"nwiz"="nwiz.exe" [2007-05-23 03:35 1626112 C:\WINDOWS\system32\nwiz.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 11:39 94208]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"MagicLinker3"="C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe" [2001-05-11 11:31 131072]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 16:31 630784]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-08 03:40 159744]
"CognizanceTS"="C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-23 01:12 17920]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-08 11:54 950664]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-16 23:13 218408]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15 75520]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Winamp Agent.lnk - C:\Program Files\Winamp\winampa.exe [2004-12-20 12:41:22 33792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-29 17:06:58 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22 581693]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-06-16 11:54:20 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7542:TCP"= 7542:TCP:BitComet 7542 TCP
"7542:UDP"= 7542:UDP:BitComet 7542 UDP
"1356:UDP"= 1356:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"1357:UDP"= 1357:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2006-08-08 22:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fc35ec2-5642-11dc-bb32-806d6172696f}]
\Shell\AutoRun\command - E:\bootcd\wintools\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30d8da88-5614-11dc-bb36-001b7731a1bc}]
\Shell\AutoRun\command - fooool.exe
\Shell\explore\Command - fooool.exe
\Shell\open\Command - fooool.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 16:42:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-06-21 16:44:41 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-06-21 09:44:37

Pre-Run: 39,310,807,040 bytes free
Post-Run: 39,382,052,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

208


++++++++++++++++++++++++
End of log
++++++++++++++++++++++++

Cheers!......

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:29 AM

Posted 21 June 2008 - 12:59 PM

Hi no more vundo please,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15208AD2-1331-4184-9E50-73789F2A3D35}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A201CA2B-DA50-4CB0-8E61-F7BD79ECD141}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-  
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30d8da88-5614-11dc-bb36-001b7731a1bc}]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot),

please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan, the contents of Combofix.txt and a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 no more vundo please

no more vundo please
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 22 June 2008 - 06:32 AM

Dear SifuMike,

I have create a script and run combo fix as instruct. Please find my scanned log below

+++++++++++++++++++++++++++
Kaspersky scan log
+++++++++++++++++++++++++++

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 22, 2008 07:38:20
Records in database: 880089
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 54447
Threat name: 6
Infected objects: 8
Suspicious objects: 2
Duration of the scan: 01:02:14


File name / Threat name / Threats count
C:\Program Files\ESET\infected\OOWQJOBA.NQF Infected: not-a-virus:AdWare.Win32.Agent.cb 1
C:\Program Files\ESET\infected\R00RXAAA.NQF Infected: Trojan.Win32.Dialer.yz 1
C:\Program Files\ESET\infected\R13SK4CA.NQF Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l 1
C:\Program Files\ESET\infected\U3YBAZDA.NQF Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l 1
C:\QooBox\Quarantine\C\WINDOWS\system32\winemx32.dll.vir Suspicious: PECompact 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wintfj32.dll.vir Suspicious: PECompact 1
C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
D:\Office Program\Nero and Drive Imag\Nero 7 Premium Reloaded 7.8.5.0\Nero-7.8.5.0_eng_trial.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
D:\Office Program\Nero and Drive Imag\Nero8\Nero PhotoShow Express\nero_photoshow_express_5_setup.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
D:\Office Program\Nero and Drive Imag\Nero8\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

The selected area was scanned.


End of log

+++++++++++++++++++++++++++
Combo Fix scan log
+++++++++++++++++++++++++++

ComboFix 08-06-20.4 - Administrator 2008-06-22 15:25:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.66.1033.18.1612 [GMT 7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-20 12:42 . 2008-06-20 12:42 <DIR> d-------- C:\Deckard
2008-06-17 19:59 . 2008-06-17 19:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 19:59 . 2008-06-17 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 19:59 . 2008-06-17 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-17 19:59 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 19:59 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 14:31 . 2008-06-17 16:51 456 --a------ C:\WINDOWS\wininit.ini
2008-06-17 13:59 . 2008-06-17 13:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-17 13:54 . 2008-06-17 13:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-17 13:54 . 2008-06-17 14:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 12:44 . 2008-06-17 12:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-17 12:44 . 2008-06-17 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-17 12:42 . 2008-06-17 12:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 12:25 . 2008-06-17 12:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-10 13:42 . 2008-06-10 13:42 746 --a------ C:\ShatteredGalaxy.lnk
2008-06-06 12:44 . 2008-06-10 13:41 <DIR> d-------- C:\Program Files\KRU
2008-06-05 16:57 . 2008-06-05 16:57 <DIR> d-------- C:\WINDOWS\Sun
2008-06-05 16:57 . 2008-06-05 17:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\bang
2008-06-05 16:57 . 2007-05-02 04:01 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-06-05 16:56 . 2008-06-05 16:57 <DIR> d-------- C:\Program Files\Java
2008-06-05 16:54 . 2008-06-05 16:54 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-03 09:35 . 2008-06-03 09:35 <DIR> d-------- C:\Program Files\Softnik Technologies
2008-06-03 09:35 . 2008-06-03 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Good Keywords v2
2008-05-29 18:55 . 2008-05-29 18:55 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-29 18:55 . 2001-10-27 04:16 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-05-23 08:50 . 2008-05-23 08:50 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 08:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-06-22 07:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-06-17 07:31 --------- d-----w C:\Program Files\ESET
2008-06-16 06:30 --------- d-----w C:\Program Files\BitComet
2008-06-16 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-02 08:31 --------- d-----w C:\Program Files\Winamp
2008-05-29 11:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-29 11:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 02:29 --------- d-----w C:\Program Files\Cooking Academy
2008-05-24 04:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Screenshot Sender
2008-05-23 01:49 56,912 ----a-w C:\WINDOWS\java\g2mdlhlpx.exe
2008-05-20 16:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-05-20 12:44 --------- d-----w C:\Program Files\Buildalot 2 Town Of The Year
2008-05-20 12:37 --------- d-----w C:\Program Files\Magic Farm
2008-05-19 08:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Meridian93
2008-05-19 08:42 --------- d-----w C:\Program Files\ReflexiveArcade
2008-05-19 08:11 --------- d-----w C:\Program Files\Oberon Media
2008-05-19 08:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 07:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2008-05-19 07:06 --------- d-----w C:\Program Files\Common Files\Oberon Media
2008-05-16 10:45 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-16 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-16 04:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 15:04 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2008-05-13 06:17 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-05-13 06:17 31,984 ----a-w C:\WINDOWS\dbrmdwb.exe
2008-05-13 06:17 2,004,728 ----a-w C:\WINDOWS\npdbplug.dll
2008-05-13 06:17 139,344 ----a-w C:\WINDOWS\system32\DNLEng.dll
2008-05-13 06:15 832,744 ----a-w C:\WINDOWS\dbplugin.exe
2008-05-08 02:46 --------- d-----w C:\Program Files\Windows Live
2008-05-08 02:46 --------- d-----w C:\Program Files\MSN Messenger
2008-05-08 02:46 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-07 07:05 --------- d-----w C:\Program Files\Unlocker
2008-05-05 14:30 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-05 14:29 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-02 03:52 155,995 ----a-w C:\WINDOWS\java\Packages\4UCD7RT7.ZIP
2008-04-29 04:49 --------- d-----w C:\Program Files\SmartFTP Client
2008-04-29 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SmartFTP
2008-04-29 04:48 --------- d-----w C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-29 04:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ACD Systems
2008-04-29 04:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 04:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 04:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 02:50 --------- d--h--w C:\Program Files\Zenographics
2008-04-25 17:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-25 17:33 --------- d-----w C:\Program Files\Skype
2008-04-25 17:33 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-25 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-25 03:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-04-06 05:47 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
.

------- Sigcheck -------

2007-07-04 17:27 359040 a14fafd66adbd55a86f17a37e5ec4263 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-21_16.44.22.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-21 09:42:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 08:28:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-21 05:12:41 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-22 07:46:14 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-21 05:12:41 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-22 07:46:14 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-08-08 22:42 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-03 16:48 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-05-06 09:29 6656]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 11:38 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-23 03:35 8433664]
"nwiz"="nwiz.exe" [2007-05-23 03:35 1626112 C:\WINDOWS\system32\nwiz.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 11:39 94208]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 16:31 630784]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-08 03:40 159744]
"CognizanceTS"="C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-23 01:12 17920]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-08 11:54 950664]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-16 23:13 218408]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Winamp Agent.lnk - C:\Program Files\Winamp\winampa.exe [2004-12-20 12:41:22 33792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-29 17:06:58 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22 581693]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-06-16 11:54:20 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7542:TCP"= 7542:TCP:BitComet 7542 TCP
"7542:UDP"= 7542:UDP:BitComet 7542 UDP
"1356:UDP"= 1356:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"1357:UDP"= 1357:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2006-08-08 22:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fc35ec2-5642-11dc-bb32-806d6172696f}]
\Shell\AutoRun\command - E:\bootcd\wintools\autorun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 15:28:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-06-22 15:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 08:30:41
ComboFix2.txt 2008-06-21 09:44:42

Pre-Run: 39,384,875,008 bytes free
Post-Run: 39,383,003,136 bytes free

191

End of log

+++++++++++++++++++++++++++
HJT scan log
+++++++++++++++++++++++++++


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:12 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.acdsee.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Winamp Agent.lnk = C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} (SFLauncherTDE Class) - http://sf.gg.in.th/activex/StarterSFTDE.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://mail.chazinsurance.com/dwa8W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB2F7490-2BB1-41B4-BA36-C0B2B22583D6}: NameServer = 203.144.207.49 203.144.207.29
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 10572 bytes



I hope i follow your instuction correctly, thanks

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:29 AM

Posted 22 June 2008 - 01:19 PM

Hi no more vundo please,

I hope i follow your instuction correctly


You did it perfectly. :thumbsup:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

*******************************************


Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************


Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

These are optional fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - Startup: Winamp Agent.lnk = C:\Program Files\Winamp\winampa.exe
(Description: The WinAmp Agent. This puts a WinAmp icon is your system tray. It is completely unnecessary, and some viruses may hide in this file. Removing this entry will free up a small amount of system resources.)

O4 - Startup: Winamp Agent.lnk = C:\Program Files\Winamp\winampa.exe
(Description: Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs. If you don't use WinAmp constantly, removing this entry will free up some system resources. )

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
(Description: WinZip system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)

Close all browsers and other windows except for HijackThis, and click "Fix checked"

*******************************************

Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
    (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    D:\Office Program\Nero and Drive Imag\Nero 7 Premium Reloaded 7.8.5.0\Nero-7.8.5.0_eng_trial.exe
    D:\Office Program\Nero and Drive Imag\Nero8\Nero PhotoShow Express\nero_photoshow_express_5_setup.exe
    D:\Office Program\Nero and Drive Imag\Nero8\Toolbar.exe


  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, OTMoveIt2 log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 no more vundo please

no more vundo please
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 22 June 2008 - 10:42 PM

Dear SifuMike,

Please fine my HJT log and OTMoveit2 log below.

I have one question mike, Does it require a lot of knowledge in order to solve this kind of malware issue? I mean, may be i can learn and start help my friend and myself next time. Please advise the possiblity.

Anyway, cheers!
+++++++++++++++++++++++++++++
HJT Log
+++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:11 AM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.acdsee.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} (SFLauncherTDE Class) - http://sf.gg.in.th/activex/StarterSFTDE.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://mail.chazinsurance.com/dwa8W.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 10227 bytes



End og log

+++++++++++++++++++++++++++++
OTMoveit2 Log
+++++++++++++++++++++++++++++
OT2Moveit Log
D:\Office Program\Nero and Drive Imag\Nero 7 Premium Reloaded 7.8.5.0\Nero-7.8.5.0_eng_trial.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06232008_101944

D:\Office Program\Nero and Drive Imag\Nero8\Nero PhotoShow Express\nero_photoshow_express_5_setup.exe moved successfully.
D:\Office Program\Nero and Drive Imag\Nero8\Toolbar.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06232008_102024




End of log


All the best!

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:29 AM

Posted 23 June 2008 - 12:30 AM

Hi no more vundo please,

Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.


I have one question mike, Does it require a lot of knowledge in order to solve this kind of malware issue? I mean, may be i can learn and start help my friend and myself next time. Please advise the possiblity.


Yes, it does require a lot of knowledge to remove malware. Bleeping Computer and most of the other malware removal forums offer Malware Removal training programs.
http://www.bleepingcomputer.com/forums/t/86678/malware-removal-training-program/

If you click on the link provided, you will read that the training school is temporarily full. As students are "promoted" new seats are available. Bookmark the admission link and check it once a week.




The malware training is time consuming and detailed, and that causes many of the trainees to drop out. The reason is that the trainees dont have commitment and time to spend. :)

Edited by SifuMike, 24 June 2008 - 09:59 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 no more vundo please

no more vundo please
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 24 June 2008 - 12:06 AM

Dear SifuMike,

Thank you for take care of me and people around the world inneed of help like me, really appreciate your help. I will try to read on the recommended article and try to not get infected again (at least in the near future :thumbsup: ). Also, will take a look at HJT class you mentined about.

Again thanks a lot of your time and I have donote some money to support your team as my appreciation.

Cheers!

+++++++++++++++++++
This topic is close
+++++++++++++++++++

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:29 AM

Posted 24 June 2008 - 10:20 AM

Thank you for the donation. :thumbsup:

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users