Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-gamethief.win32.onlinegames.rxxp Infected, Please Help


  • This topic is locked This topic is locked
31 replies to this topic

#1 jimz84

jimz84

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 09 July 2008 - 04:43 PM

Hi all,

I feel luck to google to this forum and hope this is the right place to get some hints to solve my headache.

My WinXP machine got infected by a malware called "Trojan-GameThief.Win32.OnlineGames.rxxp" by Kaspersky, and I have tried everything I could but failed to clean it up. I used to have the free AVG 7.5 installed and it detected the virus as "Trojan horse PSW.Onlinegames.AVLL", and last 4 characters always changes, like "AVLX" etc.

Two strange findings, 1> the virus always changes my system date back to year 2000 when my XP starts; 2> it seems when I unplug the network cable and boot in normal mode, all my avs, AVG7.5, Kaspersky Internet Security 7.0, HijackThis v2.0.2 and some other AVs I downloaded, report nothing. The virus are only detected when I boot the machine with valid internet connection.

I have tried to run HijackThis and Kaspersky under safe mode and fix whatever they found until no more infection, but once reboot in normal mode, the malware just came back. I guess these detected malware was realtime downloaded from internet, but there must one undetected in my PC. But where is the real undetected malware? :thumbsup:

It has been more than a week and I really need to clean this mess up ASAP. I have so many important data on this machine. Please, help. I really appreciate it.

The following is the HijackThis v2.0.2 log file. Hope it may give the experts here in this forum some hints.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:56 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: lassaplo.dll - {2B69874A-C58C-458D-69F0-698F874E41B2} - C:\WINDOWS\system32\lassaplo.dll (file missing)
O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dll (file missing)
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll (file missing)
O2 - BHO: zywlcime.dll - {37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73} - C:\WINDOWS\system32\zywlcime.dll (file missing)
O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - C:\WINDOWS\system32\apzhctde.dll (file missing)
O2 - BHO: akjsdkaq.dll - {4A908760-8000-4000-A000-9000322145A4} - C:\WINDOWS\system32\akjsdkaq.dll (file missing)
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\system32\zptlcsys.dll (file missing)
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\system32\ptjhehlp.dll (file missing)
O2 - BHO: mpwdeapi.dll - {55694105-5108-9405-3695-954187462155} - C:\WINDOWS\system32\mpwdeapi.dll (file missing)
O2 - BHO: nhmxejkl.dll - {57AC9076-C898-B098-D098-A18319080975} - C:\WINDOWS\system32\nhmxejkl.dll (file missing)
O2 - BHO: mndhfdwd.dll - {6C648541-1025-9650-9057-6541258720C6} - C:\WINDOWS\system32\mndhfdwd.dll (file missing)
O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - C:\WINDOWS\system32\zxmsdwin.dll (file missing)
O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\system32\mnmhgsrv.dll (file missing)
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll (file missing)
O2 - BHO: zyzxjime.dll - {AA59145F-315D-BC23-AC1F-145DF81A34AA} - C:\WINDOWS\system32\zyzxjime.dll (file missing)
O2 - BHO: hdf453d.dll - {B629FF4F-ACDB-5C90-A098-FACB3456A26B} - C:\WINDOWS\system32\hdf453d.dll (file missing)
O2 - BHO: yzztlmsn.dll - {C490415F-65F8-B5C5-D8BA-9405FB12054C} - C:\WINDOWS\system32\yzztlmsn.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O20 - AppInit_DLLs: nhmxejkl.dll,skqncbib.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

--
End of file - 3333 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:28 AM

Posted 09 July 2008 - 05:17 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 jimz84

jimz84
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 09 July 2008 - 05:22 PM

Thank you, Sam. Right now I'm just away from home PC and will do what you suggested tonight. I really appreciate your help.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:28 AM

Posted 09 July 2008 - 05:24 PM

Sounds good! I'll be around. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 jimz84

jimz84
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 09 July 2008 - 10:29 PM

Hi Sam,

Following is the DSS log. I unplug my network cable to boot the machine, then connected the the network cable back to avoid the virus to show up. Afterward, I downloaded and ran DDS and got the two log files.

Hope you can help to figure out how to fix it. Thanks,
-Jim


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Deckard's System Scanner v20071014.68
Run by jzhao on 2008-07-09 20:15:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-10 03:15:29 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jzhao.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:48 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jzhao.GST-A58BF168D75\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jzhao.exe

O2 - BHO: lassaplo.dll - {2B69874A-C58C-458D-69F0-698F874E41B2} - C:\WINDOWS\system32\lassaplo.dll (file missing)
O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dll (file missing)
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll (file missing)
O2 - BHO: zywlcime.dll - {37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73} - C:\WINDOWS\system32\zywlcime.dll (file missing)
O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - C:\WINDOWS\system32\apzhctde.dll (file missing)
O2 - BHO: akjsdkaq.dll - {4A908760-8000-4000-A000-9000322145A4} - C:\WINDOWS\system32\akjsdkaq.dll (file missing)
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\system32\zptlcsys.dll (file missing)
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\system32\ptjhehlp.dll (file missing)
O2 - BHO: mpwdeapi.dll - {55694105-5108-9405-3695-954187462155} - C:\WINDOWS\system32\mpwdeapi.dll (file missing)
O2 - BHO: nhmxejkl.dll - {57AC9076-C898-B098-D098-A18319080975} - C:\WINDOWS\system32\nhmxejkl.dll (file missing)
O2 - BHO: mndhfdwd.dll - {6C648541-1025-9650-9057-6541258720C6} - C:\WINDOWS\system32\mndhfdwd.dll (file missing)
O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - C:\WINDOWS\system32\zxmsdwin.dll (file missing)
O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\system32\mnmhgsrv.dll (file missing)
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll (file missing)
O2 - BHO: zyzxjime.dll - {AA59145F-315D-BC23-AC1F-145DF81A34AA} - C:\WINDOWS\system32\zyzxjime.dll (file missing)
O2 - BHO: hdf453d.dll - {B629FF4F-ACDB-5C90-A098-FACB3456A26B} - C:\WINDOWS\system32\hdf453d.dll (file missing)
O2 - BHO: yzztlmsn.dll - {C490415F-65F8-B5C5-D8BA-9405FB12054C} - C:\WINDOWS\system32\yzztlmsn.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - AppInit_DLLs: nhmxejkl.dll,skqncbib.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

--
End of file - 3075 bytes

-- File Associations -----------------------------------------------------------

.ini - UltraEdit.ini - DefaultIcon - unable to read value
.ini - UltraEdit.ini - shell\open\command - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe" "%1"
.txt - UltraEdit.txt - DefaultIcon - unable to read value
.txt - UltraEdit.txt - shell\open\command - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FsVga - c:\windows\system32\drivers\fsvga.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R3 ati2mtaa - c:\windows\system32\drivers\ati2mtaa.sys <Not Verified; ATI Technologies Inc.; ATI Rage 128 Family>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 02ab640cf7f5528b - c:\02ab640cf7f5528b.dat (file missing)
S3 03c6a4ac13e12267 - c:\03c6a4ac13e12267.dat (file missing)
S3 156a30544ad7a6c6 - c:\156a30544ad7a6c6.dat (file missing)
S3 1930d5005eb25d5d - c:\1930d5005eb25d5d.dat (file missing)
S3 330807d41972b528 - c:\330807d41972b528.dat (file missing)
S3 426493e44f943816 - c:\426493e44f943816.dat (file missing)
S3 514c3d2839c1298f - c:\514c3d2839c1298f.dat (file missing)
S3 5cc127dc4a835e01 - c:\5cc127dc4a835e01.dat (file missing)
S3 5d5707581761dfac - c:\5d5707581761dfac.dat (file missing)
S3 5f08277409cfd8da - c:\5f08277409cfd8da.dat (file missing)
S3 6dced408f6d20c45 - c:\6dced408f6d20c45.dat (file missing)
S3 747257c8500711e8 - c:\747257c8500711e8.dat (file missing)
S3 8a61e940b12b411e - c:\8a61e940b12b411e.dat (file missing)
S3 955172d0ba13fb78 - c:\955172d0ba13fb78.dat (file missing)
S3 ab6200f8dc53cf04 - c:\ab6200f8dc53cf04.dat (file missing)
S3 dd5f4684950217fb - c:\dd5f4684950217fb.dat (file missing)
S3 e35c6c702949cb01 - c:\e35c6c702949cb01.dat (file missing)
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Zehowunm - c:\windows\system32\drivers\zehowunm.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_1040&SUBSYS_10008086&REV_00\3&61AAA01&0&48
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_1040&SUBSYS_10008086&REV_00\3&61AAA01&0&48
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Camera
Device ID: USB\VID_046D&PID_08F5\5&8F113F9&0&1
Manufacturer:
Name: Camera
PNP Device ID: USB\VID_046D&PID_08F5\5&8F113F9&0&1
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-02 17:58:30 376 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-06-09 and 2008-07-09 -----------------------------

2008-07-09 20:12:31 0 d-------- C:\WINDOWS\LastGood
2008-07-08 22:42:06 0 d-------- C:\Program Files\Trend Micro
2008-07-07 22:37:10 0 d--h----- C:\Documents and Settings\Administrator.GST-A58BF168D75\Templates
2008-07-07 22:37:10 0 dr------- C:\Documents and Settings\Administrator.GST-A58BF168D75\Start Menu
2008-07-07 22:37:10 0 dr-h----- C:\Documents and Settings\Administrator.GST-A58BF168D75\SendTo
2008-07-07 22:37:10 0 d--h----- C:\Documents and Settings\Administrator.GST-A58BF168D75\Recent
2008-07-07 22:37:10 0 d--h----- C:\Documents and Settings\Administrator.GST-A58BF168D75\PrintHood
2008-07-07 22:37:10 786432 --ah----- C:\Documents and Settings\Administrator.GST-A58BF168D75\NTUSER.DAT
2008-07-07 22:37:10 0 d--h----- C:\Documents and Settings\Administrator.GST-A58BF168D75\NetHood
2008-07-07 22:37:10 0 d-------- C:\Documents and Settings\Administrator.GST-A58BF168D75\My Documents
2008-07-07 22:37:10 0 d--h----- C:\Documents and Settings\Administrator.GST-A58BF168D75\Local Settings
2008-07-07 22:37:10 0 d-------- C:\Documents and Settings\Administrator.GST-A58BF168D75\Favorites
2008-07-07 22:37:10 0 d-------- C:\Documents and Settings\Administrator.GST-A58BF168D75\Desktop
2008-07-07 22:37:10 0 d--hs---- C:\Documents and Settings\Administrator.GST-A58BF168D75\Cookies
2008-07-07 22:37:10 0 dr-h----- C:\Documents and Settings\Administrator.GST-A58BF168D75\Application Data
2008-07-07 22:37:10 0 d---s---- C:\Documents and Settings\Administrator.GST-A58BF168D75\Application Data\Microsoft
2008-07-07 21:53:18 24 --a------ C:\WINDOWS\system32\ijzhatde.sys
2008-07-07 21:45:55 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-07 21:45:55 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-07 21:44:43 7968 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-07 21:44:43 594976 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-07 21:44:43 0 d-------- C:\Program Files\Kaspersky Lab
2008-07-07 21:44:42 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-07-07 21:42:14 0 d-------- C:\kav


-- Find3M Report ---------------------------------------------------------------

2008-07-08 23:16:57 24 --a------ C:\WINDOWS\system32\ciwdaapi.sys
2008-07-07 23:56:06 24 --a------ C:\WINDOWS\system32\wymxajkl.sys
2008-07-07 22:00:45 24 --a------ C:\WINDOWS\system32\pzwlaime.sys
2008-07-07 22:00:44 24 --a------ C:\WINDOWS\system32\ijsgajba.sys
2008-07-07 22:00:43 24 --a------ C:\WINDOWS\system32\toqnabib.sys
2008-07-07 22:00:43 24 --a------ C:\WINDOWS\system32\sqjsakaq.sys
2008-07-07 21:43:51 0 d-------- C:\Documents and Settings\jzhao.GST-A58BF168D75\Application Data\AVG7
2008-07-07 21:33:37 0 d-------- C:\Program Files\Enigma Software Group
2008-07-07 21:30:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 21:58:19 0 d-------- C:\Program Files\MSN Messenger


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B69874A-C58C-458D-69F0-698F874E41B2}]
C:\WINDOWS\system32\lassaplo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32023698-6984-8541-9654-698745012523}]
C:\WINDOWS\system32\skqncbib.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653}]
C:\WINDOWS\system32\yxcschlp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73}]
C:\WINDOWS\system32\zywlcime.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D698451-2015-6358-9871-2015987452D3}]
C:\WINDOWS\system32\apzhctde.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A908760-8000-4000-A000-9000322145A4}]
C:\WINDOWS\system32\akjsdkaq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50940F85-F015-14F1-A05F-F69858AC6D05}]
C:\WINDOWS\system32\zptlcsys.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{528DF602-9541-A985-210A-984A698C6F25}]
C:\WINDOWS\system32\ptjhehlp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55694105-5108-9405-3695-954187462155}]
C:\WINDOWS\system32\mpwdeapi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57AC9076-C898-B098-D098-A18319080975}]
C:\WINDOWS\system32\nhmxejkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C648541-1025-9650-9057-6541258720C6}]
C:\WINDOWS\system32\mndhfdwd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A041F13-A111-12A3-B0CF-F99818AA68A7}]
C:\WINDOWS\system32\zxmsdwin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}]
C:\WINDOWS\system32\mnmhgsrv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FD45A54-9875-698F-E56E-65102358FDF7}]
C:\WINDOWS\system32\apsggjba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA59145F-315D-BC23-AC1F-145DF81A34AA}]
C:\WINDOWS\system32\zyzxjime.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B629FF4F-ACDB-5C90-A098-FACB3456A26B}]
C:\WINDOWS\system32\hdf453d.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C490415F-65F8-B5C5-D8BA-9405FB12054C}]
C:\WINDOWS\system32\yzztlmsn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{32023698-6984-8541-9654-698745012523}"= C:\WINDOWS\system32\skqncbib.dll [ ]
"{C490415F-65F8-B5C5-D8BA-9405FB12054C}"= C:\WINDOWS\system32\yzztlmsn.dll [ ]
"{57AC9076-C898-B098-D098-A18319080975}"= C:\WINDOWS\system32\nhmxejkl.dll [ ]
"{4A908760-8000-4000-A000-9000322145A4}"= C:\WINDOWS\system32\akjsdkaq.dll [ ]
"{2B69874A-C58C-458D-69F0-698F874E41B2}"= C:\WINDOWS\system32\lassaplo.dll [ ]
"{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"= C:\WINDOWS\system32\mnmhgsrv.dll [ ]
"{50940F85-F015-14F1-A05F-F69858AC6D05}"= C:\WINDOWS\system32\zptlcsys.dll [ ]
"{7A041F13-A111-12A3-B0CF-F99818AA68A7}"= C:\WINDOWS\system32\zxmsdwin.dll [ ]
"{B629FF4F-ACDB-5C90-A098-FACB3456A26B}"= C:\WINDOWS\system32\hdf453d.dll [ ]
"{7FD45A54-9875-698F-E56E-65102358FDF7}"= C:\WINDOWS\system32\apsggjba.dll [ ]
"{55694105-5108-9405-3695-954187462155}"= C:\WINDOWS\system32\mpwdeapi.dll [ ]
"{AA59145F-315D-BC23-AC1F-145DF81A34AA}"= C:\WINDOWS\system32\zyzxjime.dll [ ]
"{6C648541-1025-9650-9057-6541258720C6}"= C:\WINDOWS\system32\mndhfdwd.dll [ ]
"{3D698451-2015-6358-9871-2015987452D3}"= C:\WINDOWS\system32\apzhctde.dll [ ]
"{35671234-7890-ABCD-CDEF-567801237653}"= C:\WINDOWS\system32\yxcschlp.dll [ ]
"{37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73}"= C:\WINDOWS\system32\zywlcime.dll [ ]
"{528DF602-9541-A985-210A-984A698C6F25}"= C:\WINDOWS\system32\ptjhehlp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=nhmxejkl.dll,skqncbib.dll




-- End of Deckard's System Scanner: finished at 2008-07-09 20:18:01 ------------

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:28 AM

Posted 10 July 2008 - 08:34 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: lassaplo.dll - {2B69874A-C58C-458D-69F0-698F874E41B2} - C:\WINDOWS\system32\lassaplo.dll (file missing)
O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dll (file missing)
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - C:\WINDOWS\system32\yxcschlp.dll (file missing)
O2 - BHO: zywlcime.dll - {37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73} - C:\WINDOWS\system32\zywlcime.dll (file missing)
O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - C:\WINDOWS\system32\apzhctde.dll (file missing)
O2 - BHO: akjsdkaq.dll - {4A908760-8000-4000-A000-9000322145A4} - C:\WINDOWS\system32\akjsdkaq.dll (file missing)
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - C:\WINDOWS\system32\zptlcsys.dll (file missing)
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\system32\ptjhehlp.dll (file missing)
O2 - BHO: mpwdeapi.dll - {55694105-5108-9405-3695-954187462155} - C:\WINDOWS\system32\mpwdeapi.dll (file missing)
O2 - BHO: nhmxejkl.dll - {57AC9076-C898-B098-D098-A18319080975} - C:\WINDOWS\system32\nhmxejkl.dll (file missing)
O2 - BHO: mndhfdwd.dll - {6C648541-1025-9650-9057-6541258720C6} - C:\WINDOWS\system32\mndhfdwd.dll (file missing)
O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - C:\WINDOWS\system32\zxmsdwin.dll (file missing)
O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\system32\mnmhgsrv.dll (file missing)
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - C:\WINDOWS\system32\apsggjba.dll (file missing)
O2 - BHO: zyzxjime.dll - {AA59145F-315D-BC23-AC1F-145DF81A34AA} - C:\WINDOWS\system32\zyzxjime.dll (file missing)
O2 - BHO: hdf453d.dll - {B629FF4F-ACDB-5C90-A098-FACB3456A26B} - C:\WINDOWS\system32\hdf453d.dll (file missing)
O2 - BHO: yzztlmsn.dll - {C490415F-65F8-B5C5-D8BA-9405FB12054C} - C:\WINDOWS\system32\yzztlmsn.dll (file missing)
O20 - AppInit_DLLs: nhmxejkl.dll,skqncbib.dll




Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new DSS log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 jimz84

jimz84
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 July 2008 - 09:39 AM

Hi Sam,

Just did what you suggested line by line. But once SDFIX finished, the Kaspersky starting to report malware again.
I run the Hijackthis again and as we can tell the malware just came back and my system date again was back to year 2000 (the time, month and day looks correct but the year got changed).


Following are the SDFIX log and the Hijackthis log.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

SDFix: Version 1.204
Run by jzhao on Thu 07/10/2008 at 07:08 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2000-07-10 07:24:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="yzztlmsn.dll,akjsdkaq.dll,arjrgler.dll,nhmxejkl.dll"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:*:Enabled:Outlook Express"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MZPlayer\\MZPlayer.exe"="C:\\Program Files\\MZPlayer\\MZPlayer.exe:*:Enabled:p2p client"
"C:\\Program Files\\Freedom Scientific\\Activator\\1.1\\FSACTIVATE.EXE"="C:\\Program Files\\Freedom Scientific\\Activator\\1.1\\FSACTIVATE.EXE:*:Enabled:Client Activator"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*:Disabled:Nero ShowTime"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPSIoA‡æ‡EO"
"C:\\Program Files\\PPStream\\PPSAP.exe"="C:\\Program Files\\PPStream\\PPSAP.exe:*:Enabled:PPS IoA‡¬OEU’ö"
"C:\\Program Files\\uusee\\UUSeePlayer.exe"="C:\\Program Files\\uusee\\UUSeePlayer.exe:*:Enabled:UUPlayer"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\DIGIZON Player\\DIGIZON.exe"="C:\\Program Files\\DIGIZON Player\\DIGIZON.exe:*:Enabled:DIGIZON.exe"
"C:\\Program Files\\Real\\eREAD_Cookcase.exe"="C:\\Program Files\\Real\\eREAD_Cookcase.exe:*:Disabled:eREAD 7.0"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\kav\\kis\\setup.exe"="C:\\kav\\kis\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Mon 10 Jul 2000 536,072 A.SH. --- "C:\WINDOWS\system32\akjsdkaq.dll"
Sun 8 Aug 2004 1,040 ..SH. --- "C:\WINDOWS\system32\aoqnabib.sys"
Mon 10 Jul 2000 537,608 A.SH. --- "C:\WINDOWS\system32\apsggjba.dll"
Mon 10 Jul 2000 538,120 A.SH. --- "C:\WINDOWS\system32\apzhctde.dll"
Mon 10 Jul 2000 536,072 A.SH. --- "C:\WINDOWS\system32\arjrgler.dll"
Sun 8 Aug 2004 6,240 ..SH. --- "C:\WINDOWS\system32\fassaplo.sys"
Sun 8 Aug 2004 4,680 ..SH. --- "C:\WINDOWS\system32\fstlbsys.sys"
Sun 8 Aug 2004 4,680 ..SH. --- "C:\WINDOWS\system32\fxwlbime.sys"
Sun 8 Aug 2004 4,680 ..SH. --- "C:\WINDOWS\system32\fxzxbime.sys"
Sun 8 Aug 2004 5,200 ..SH. --- "C:\WINDOWS\system32\fzmsbwin.sys"
Sun 8 Aug 2004 4,680 ..SH. --- "C:\WINDOWS\system32\gpsgajba.sys"
Sun 8 Aug 2004 1,040 ..SH. --- "C:\WINDOWS\system32\gpzhatde.sys"
Sun 8 Aug 2004 1,040 ..SH. --- "C:\WINDOWS\system32\gsdhadwd.sys"
Wed 5 Jul 2006 16 ...H. --- "C:\WINDOWS\system32\gytaevo.dll"
Mon 10 Jul 2000 538,632 A.SH. --- "C:\WINDOWS\system32\hdf453d.dll"
Sun 8 Aug 2004 2,080 ..SH. --- "C:\WINDOWS\system32\iujraler.sys"
Mon 10 Jul 2000 535,560 A.SH. --- "C:\WINDOWS\system32\lassaplo.dll"
Mon 10 Jul 2000 536,072 A.SH. --- "C:\WINDOWS\system32\mndhfdwd.dll"
Mon 10 Jul 2000 539,144 A.SH. --- "C:\WINDOWS\system32\mnmhgsrv.dll"
Mon 10 Jul 2000 538,120 A.SH. --- "C:\WINDOWS\system32\mpwdeapi.dll"
Mon 10 Jul 2000 536,072 A.SH. --- "C:\WINDOWS\system32\nhmxejkl.dll"
Sun 8 Aug 2004 4,160 ..SH. --- "C:\WINDOWS\system32\pmjhbhlp.sys"
Mon 10 Jul 2000 535,560 A.SH. --- "C:\WINDOWS\system32\ptjhehlp.dll"
Sun 8 Aug 2004 1,560 ..SH. --- "C:\WINDOWS\system32\rnmxajkl.sys"
Sun 8 Aug 2004 7,280 ..SH. --- "C:\WINDOWS\system32\sdjsakaq.sys"
Mon 10 Jul 2000 535,048 A.SH. --- "C:\WINDOWS\system32\skqncbib.dll"
Sun 8 Aug 2004 2,080 ..SH. --- "C:\WINDOWS\system32\smmhbsrv.sys"
Sun 8 Aug 2004 4,680 ..SH. --- "C:\WINDOWS\system32\spmybapi.sys"
Sun 8 Aug 2004 4,680 ..SH. --- "C:\WINDOWS\system32\spwdbapi.sys"
Sun 8 Aug 2004 1,040 ..SH. --- "C:\WINDOWS\system32\xfztbmsn.sys"
Sun 8 Aug 2004 1,040 ..SH. --- "C:\WINDOWS\system32\xzcsbhlp.sys"
Mon 10 Jul 2000 534,024 A.SH. --- "C:\WINDOWS\system32\yxcschlp.dll"
Mon 10 Jul 2000 536,584 A.SH. --- "C:\WINDOWS\system32\yzztlmsn.dll"
Mon 10 Jul 2000 536,072 A.SH. --- "C:\WINDOWS\system32\zptlcsys.dll"
Mon 10 Jul 2000 536,584 A.SH. --- "C:\WINDOWS\system32\zxmsdwin.dll"
Mon 10 Jul 2000 538,120 A.SH. --- "C:\WINDOWS\system32\zywlcime.dll"
Mon 10 Jul 2000 537,608 A.SH. --- "C:\WINDOWS\system32\zyzxjime.dll"
Mon 20 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Mon 19 Mar 2007 40 A..HR --- "C:\Program Files\Freedom Scientific\Activator\FSSHELL32.dll"
Tue 6 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Fri 12 Nov 2004 37,376 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 7 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\927c988306a93278708f61afaae477cc\BIT3.tmp"
Mon 7 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT4.tmp"
Mon 7 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT2.tmp"
Sun 2 Dec 2007 181,760 ...H. --- "C:\Documents and Settings\jzhao.GST-A58BF168D75\Application Data\Microsoft\Word\~WRL0004.tmp"
Sun 2 Dec 2007 26,112 ...H. --- "C:\Documents and Settings\jzhao.GST-A58BF168D75\Application Data\Microsoft\Word\~WRL1615.tmp"
Sun 2 Dec 2007 25,600 ...H. --- "C:\Documents and Settings\jzhao.GST-A58BF168D75\Application Data\Microsoft\Word\~WRL2627.tmp"
Sun 2 Dec 2007 24,576 ...H. --- "C:\Documents and Settings\jzhao.GST-A58BF168D75\Application Data\Microsoft\Word\~WRL3026.tmp"
Sun 2 Dec 2007 109,056 ...H. --- "C:\Documents and Settings\jzhao.GST-A58BF168D75\Application Data\Microsoft\Word\~WRL3697.tmp"

Finished!


>>>>>>>>>>>>>>>>>>>>>>>>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:48 AM, on 7/10/2000
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: lassaplo.dll - {2B69874A-C58C-458D-69F0-698F874E41B2} - (no file)
O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dll
O2 - BHO: yxcschlp.dll - {35671234-7890-ABCD-CDEF-567801237653} - (no file)
O2 - BHO: zywlcime.dll - {37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73} - (no file)
O2 - BHO: apzhctde.dll - {3D698451-2015-6358-9871-2015987452D3} - (no file)
O2 - BHO: akjsdkaq.dll - {4A908760-8000-4000-A000-9000322145A4} - C:\WINDOWS\system32\akjsdkaq.dll
O2 - BHO: zptlcsys.dll - {50940F85-F015-14F1-A05F-F69858AC6D05} - (no file)
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - (no file)
O2 - BHO: mpwdeapi.dll - {55694105-5108-9405-3695-954187462155} - (no file)
O2 - BHO: nhmxejkl.dll - {57AC9076-C898-B098-D098-A18319080975} - C:\WINDOWS\system32\nhmxejkl.dll
O2 - BHO: mndhfdwd.dll - {6C648541-1025-9650-9057-6541258720C6} - (no file)
O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - (no file)
O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - (no file)
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - (no file)
O2 - BHO: arjrgler.dll - {9C69034A-F45F-D34D-A33A-C33C4D324FC9} - C:\WINDOWS\system32\arjrgler.dll
O2 - BHO: zyzxjime.dll - {AA59145F-315D-BC23-AC1F-145DF81A34AA} - (no file)
O2 - BHO: hdf453d.dll - {B629FF4F-ACDB-5C90-A098-FACB3456A26B} - (no file)
O2 - BHO: yzztlmsn.dll - {C490415F-65F8-B5C5-D8BA-9405FB12054C} - C:\WINDOWS\system32\yzztlmsn.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O20 - AppInit_DLLs: akjsdkaq.dll,,skqncbib.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

--
End of file - 2914 bytes

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:28 AM

Posted 10 July 2008 - 01:07 PM

On to plan B.

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 jimz84

jimz84
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 July 2008 - 01:46 PM

Thanks, Sam. I'll do it once I get home this evening. Have a nice day.

#10 jimz84

jimz84
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 10 July 2008 - 10:22 PM

Hi Sam, the following is the ComboFix log. Thanks for helping me.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ComboFix 08-07-10.1 - jzhao 2008-07-10 19:35:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.281 [GMT -7:00]
Running from: C:\Documents and Settings\jzhao.GST-A58BF168D75\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$VAULT$.AVG\_desktop.ini
C:\_desktop.ini
C:\hegames\_desktop.ini
C:\Program Files\_desktop.ini
C:\Program Files\Accessories\_desktop.ini
C:\Program Files\Accessories\Imagevue\_desktop.ini
C:\Program Files\Enigma Software Group\_desktop.ini
C:\Program Files\Grisoft\_desktop.ini
C:\Program Files\Grisoft\AVG Free\_desktop.ini
C:\Program Files\Microsoft Office\_desktop.ini
C:\Program Files\Microsoft Office\Office\_desktop.ini
C:\Program Files\Microsoft Office\Templates\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\arcs.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\bars.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\blocks.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\blueprnt.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\capsules.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\downtown.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\expeditn.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\highway.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\neon.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\normal.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\poetic.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\street.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\css\sweets.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\bantoc.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\footer.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\footnote.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\header.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\horzsplt.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\navwtoc.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\threelev.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\toc.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\topdown.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Frames\vertsplt.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\1center.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\1cheads.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\1cleft.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\1cright.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\2ceven.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\2cmenul.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\2cmenur.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\2cstagr.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\3c2stagl.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\3ceven.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\3cmenuc.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\3cmenul.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\3csidbar.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\4ccenter.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\4cstagc.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\4cstagl.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\biblio.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\confirm.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\faq.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\feedback.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\guestbk.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\normal.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\reguser.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\search.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\toc.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Pages\vtiform.wiz\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\custsupp.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\custsupp.tem\images\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\empty.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\msimport.wiz\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\normal.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\personal.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\personal.tem\images\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\project.tem\images\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\vtidisc.wiz\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1033\Webs\vtipres.wiz\_desktop.ini
C:\Program Files\Microsoft Office\Templates\Design Templates 97\_desktop.ini
C:\Program Files\Microsoft Office\Templates\Presentation Designs\_desktop.ini
C:\Program Files\Microsoft Visual Studio\_desktop.ini
C:\Program Files\Microsoft Visual Studio\Common\_desktop.ini
C:\Program Files\Microsoft Visual Studio\Common\IDE\_desktop.ini
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\_desktop.ini
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\MSE\_desktop.ini
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\MSE\1033\_desktop.ini
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\NewFileItems\_desktop.ini
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\Resources\_desktop.ini
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\Resources\1033\_desktop.ini
C:\Program Files\MSN Messenger\_desktop.ini
C:\Program Files\MSN\_desktop.ini
C:\Program Files\MSN\MSNCoreFiles\_desktop.ini
C:\Program Files\MSN\MSNCoreFiles\Install\_desktop.ini
C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\_desktop.ini
C:\Program Files\MSN\MSNCoreFiles\OOBE\_desktop.ini
C:\Program Files\MSXML 4.0\_desktop.ini
C:\Program Files\Nero\_desktop.ini
C:\Program Files\Nero\Nero 7\_desktop.ini
C:\Program Files\Nero\Nero 7\Core\_desktop.ini
C:\Program Files\Nero\Nero 7\Core\CDI\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero BackItUp\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero BackItUp\NeroFiles\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero CoverDesigner\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero CoverDesigner\Templates\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Fast CD-DVD Burning Plug-in\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Backgrounds\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Backgrounds_Others\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\BG_Content_BigListView\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\BG_Content_IconView\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\BG_Content_ListView\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\BG_Handlers\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\BG_MenuItems\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\BG_OSD\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\BG_PlayerControls\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\BG_Settings\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_Content\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_FileTypes\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_Handlers\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_MediaCategory\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_MenuItems\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_Notifications\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_OSD\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_PlayerControls\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_Settings\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Icons_State\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\Logo\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\Graphics\VirtualKeyboard\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Horizon Sphere\XML\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Backgrounds\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\BG_Content_IconView\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\BG_Content_ListView\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\BG_MenuItems\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\BG_Notifications\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\BG_OSD\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\BG_PlayerControls\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\BG_Settings\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\BG_Specials\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_Content\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_FileTypes\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_Handlers\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_MediaCategory\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_MenuItems\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_OSD\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_PlayerControls\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_Settings\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Icons_State\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\Logo\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\Graphics\VirtualKeyboard\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Home\Skins\Spin\XML\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero ImageDrive\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero MediaHome\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero PhotoSnap\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Recode\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero ShowTime\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero ShowTime\Skins\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\808\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\Acoustic\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\Funk\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\Hiphop\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\House\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\Industrial\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\Jazz\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\Rock\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\Synth\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Drums\Techno\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Concert\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Farm\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Horror\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Jungle\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Office\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Party\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Stadion\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Traffic\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Vehicles\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Samples\Weather\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundBox\Templates\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero SoundTrax\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero StartSmart\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Toolkit\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Vision\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Vision\Buttons\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Vision\MenuTemplates\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Vision\MenuTemplates\Pictures\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero Vision\Video\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero WaveEditor\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero\_desktop.ini
C:\Program Files\Nero\Nero 7\Nero\Uninstall\_desktop.ini
C:\Program Files\Online Services\_desktop.ini
C:\Program Files\Snapshot Viewer\_desktop.ini
C:\Program Files\TechSmith\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\2KXP\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\9XME\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\HTML_Content\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\Images\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\Stamps\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\Stamps\Accents\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\Stamps\Arrows\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\Stamps\Callouts\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\Stamps\Cursors\_desktop.ini
C:\Program Files\TechSmith\SnagIt 7\Textures\_desktop.ini
C:\Program Files\UltraEdit\_desktop.ini
C:\Program Files\Uninstall Information\_desktop.ini
C:\Program Files\Uninstall Information\IE UserData NT\_desktop.ini
C:\Program Files\Uninstall Information\mupdate\_desktop.ini
C:\Program Files\Uninstall Information\oeupdate\_desktop.ini
C:\Program Files\Uninstall Information\OutlookExpress\_desktop.ini
C:\Program Files\xerox\_desktop.ini
C:\Program Files\xerox\nwwia\_desktop.ini
C:\Recycled\Dc14.2006\_desktop.ini
C:\Recycled\Dc15.2006\_desktop.ini
C:\Recycled\Dc16\_desktop.ini
C:\RECYCLER\_desktop.ini
C:\RECYCLER\S-1-5-21-854245398-1957994488-261410435-1004\_desktop.ini
C:\WINDOWS\system32\ciwdaapi.sys
C:\WINDOWS\system32\fassaplo.sys
C:\WINDOWS\system32\fstlbsys.sys
C:\WINDOWS\system32\fxwlbime.sys
C:\WINDOWS\system32\fxzxbime.sys
C:\WINDOWS\system32\fzmsbwin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\gsdhadwd.sys
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\pmjhbhlp.sys
C:\WINDOWS\system32\pzwlaime.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\sdjsakaq.sys
C:\WINDOWS\system32\smmhbsrv.sys
C:\WINDOWS\system32\spmybapi.sys
C:\WINDOWS\system32\spwdbapi.sys
C:\WINDOWS\system32\sqjsakaq.sys
C:\WINDOWS\system32\toqnabib.sys
C:\WINDOWS\system32\wymxajkl.sys
C:\WINDOWS\system32\xfztbmsn.sys
C:\WINDOWS\system32\xzcsbhlp.sys

.
((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-10 07:03 . 2008-07-10 07:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-10 06:54 . 2000-07-10 07:28 <DIR> d-------- C:\SDFix
2008-07-09 20:15 . 2008-07-09 20:15 <DIR> d-------- C:\Deckard
2008-07-09 20:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-08 22:42 . 2008-07-08 22:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 22:37 . 2008-07-07 22:37 <DIR> d-------- C:\Documents and Settings\Administrator.GST-A58BF168D75
2008-07-07 21:45 . 2008-07-07 21:58 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-07 21:45 . 2008-07-07 21:58 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-07 21:44 . 2008-07-07 21:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-07 21:44 . 2008-07-10 19:27 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-07-07 21:44 . 2008-07-10 19:47 810,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-07 21:44 . 2008-07-10 19:44 15,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-07 21:44 . 2008-07-10 19:42 11,900 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-07 21:44 . 2008-07-10 19:42 2,468 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-07 21:42 . 2008-07-07 21:42 <DIR> d-------- C:\kav
2008-06-26 19:46 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-26 19:46 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 02:43 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-11 02:40 --------- d-----w C:\Program Files\UltraEdit
2008-07-11 02:40 --------- d-----w C:\Program Files\TechSmith
2008-07-11 02:40 --------- d-----w C:\Program Files\Snapshot Viewer
2008-07-11 02:40 --------- d-----w C:\Program Files\Nero
2008-07-11 02:39 --------- d-----w C:\Program Files\MSN Messenger
2008-07-11 02:39 --------- d-----w C:\Program Files\Enigma Software Group
2008-07-11 02:39 --------- d-----w C:\Program Files\Accessories
2008-07-08 05:00 34,064 ----a-w C:\WINDOWS\system32\drivers\npf111.sys
2008-07-08 04:58 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-08 04:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-08 04:43 --------- d-----w C:\Documents and Settings\jzhao.GST-A58BF168D75\Application Data\AVG7
2008-07-08 04:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-07-08 04:34 --------- d--h--r C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-07-08 04:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-02 06:26 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-17 22:53 90,112 ----a-w C:\WINDOWS\DUMP6619.tmp
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2006-11-02 20:22 271 --sh--w C:\Program Files\desktop.ini
2006-11-02 20:22 21,952 ---ha-w C:\Program Files\folder.htt
2004-08-08 14:24 1,040 --sh--w C:\WINDOWS\system32\aoqnabib.sys
2004-08-08 14:22 2,080 --sh--w C:\WINDOWS\system32\iujraler.sys
.

------- Sigcheck -------

2004-08-04 05:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 05:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 05:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 05:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-08-04 05:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 05:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 05:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 05:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 05:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 05:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 09:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 02:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-04 05:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 05:55 2057600 1d659bfb788ed2ba45075624b748d249 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 18:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 09:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 02:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-04 05:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 07:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 03:23 1033216 177cedb5d8714a6bd4a56eaacc693cfd C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 05:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 05:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

2004-08-04 05:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 05:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

2004-08-04 05:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 05:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe

2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 05:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 16:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
2005-06-10 16:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=akjsdkaq.dll,,skqncbib.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Freedom Scientific\\Activator\\1.1\\FSACTIVATE.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\kav\\kis\\setup.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 15:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 02ab640cf7f5528b;02ab640cf7f5528b;C:\02ab640cf7f5528b.dat []
S3 03c6a4ac13e12267;03c6a4ac13e12267;C:\03c6a4ac13e12267.dat []
S3 156a30544ad7a6c6;156a30544ad7a6c6;C:\156a30544ad7a6c6.dat []
S3 1930d5005eb25d5d;1930d5005eb25d5d;C:\1930d5005eb25d5d.dat []
S3 330807d41972b528;330807d41972b528;C:\330807d41972b528.dat []
S3 426493e44f943816;426493e44f943816;C:\426493e44f943816.dat []
S3 514c3d2839c1298f;514c3d2839c1298f;C:\514c3d2839c1298f.dat []
S3 5cc127dc4a835e01;5cc127dc4a835e01;C:\5cc127dc4a835e01.dat []
S3 5d5707581761dfac;5d5707581761dfac;C:\5d5707581761dfac.dat []
S3 5f08277409cfd8da;5f08277409cfd8da;C:\5f08277409cfd8da.dat []
S3 6dced408f6d20c45;6dced408f6d20c45;C:\6dced408f6d20c45.dat []
S3 747257c8500711e8;747257c8500711e8;C:\747257c8500711e8.dat []
S3 8a61e940b12b411e;8a61e940b12b411e;C:\8a61e940b12b411e.dat []
S3 8e390c44cb3fbfb0;8e390c44cb3fbfb0;C:\8e390c44cb3fbfb0.dat []
S3 955172d0ba13fb78;955172d0ba13fb78;C:\955172d0ba13fb78.dat []
S3 ab6200f8dc53cf04;ab6200f8dc53cf04;C:\ab6200f8dc53cf04.dat []
S3 dd5f4684950217fb;dd5f4684950217fb;C:\dd5f4684950217fb.dat []
S3 e35c6c702949cb01;e35c6c702949cb01;C:\e35c6c702949cb01.dat []
S3 NPF111;WinPcap Packet Driver (NPF111);C:\WINDOWS\system32\drivers\NPF111.sys [2008-07-07 22:00]
S3 Zehowunm;Zehowunm;C:\WINDOWS\system32\drivers\Zehowunm.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 00:58:30 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
ShellExecuteHooks-{4B590C84-0C84-B590-84B5-C8459C84B590} - (no file)
Notify-WgaLogon - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 19:45:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\02ab640cf7f5528b]
"ImagePath"="\??\C:\02ab640cf7f5528b.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\03c6a4ac13e12267]
"ImagePath"="\??\C:\03c6a4ac13e12267.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\156a30544ad7a6c6]
"ImagePath"="\??\C:\156a30544ad7a6c6.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\1930d5005eb25d5d]
"ImagePath"="\??\C:\1930d5005eb25d5d.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\330807d41972b528]
"ImagePath"="\??\C:\330807d41972b528.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\426493e44f943816]
"ImagePath"="\??\C:\426493e44f943816.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\514c3d2839c1298f]
"ImagePath"="\??\C:\514c3d2839c1298f.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\5cc127dc4a835e01]
"ImagePath"="\??\C:\5cc127dc4a835e01.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\5d5707581761dfac]
"ImagePath"="\??\C:\5d5707581761dfac.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\5f08277409cfd8da]
"ImagePath"="\??\C:\5f08277409cfd8da.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6dced408f6d20c45]
"ImagePath"="\??\C:\6dced408f6d20c45.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\747257c8500711e8]
"ImagePath"="\??\C:\747257c8500711e8.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8a61e940b12b411e]
"ImagePath"="\??\C:\8a61e940b12b411e.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8e390c44cb3fbfb0]
"ImagePath"="\??\C:\8e390c44cb3fbfb0.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\955172d0ba13fb78]
"ImagePath"="\??\C:\955172d0ba13fb78.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ab6200f8dc53cf04]
"ImagePath"="\??\C:\ab6200f8dc53cf04.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dd5f4684950217fb]
"ImagePath"="\??\C:\dd5f4684950217fb.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e35c6c702949cb01]
"ImagePath"="\??\C:\e35c6c702949cb01.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-10 19:54:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-11 02:53:50

Pre-Run: 13,374,631,936 bytes free
Post-Run: 13,496,524,800 bytes free

472 --- E O F --- 2008-07-10 05:33:28

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:28 AM

Posted 11 July 2008 - 03:24 PM

Now we're getting somewhere.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
02ab640cf7f5528b 
03c6a4ac13e12267 
156a30544ad7a6c6 
1930d5005eb25d5d 
330807d41972b528
426493e44f943816
514c3d2839c1298f 
5cc127dc4a835e01
5d5707581761dfac
5f08277409cfd8da
6dced408f6d20c45
747257c8500711e8
8a61e940b12b411e
8e390c44cb3fbfb0
955172d0ba13fb78
ab6200f8dc53cf04
dd5f4684950217fb
e35c6c702949cb01
NPF111
Zehowunm

File::
C:\02ab640cf7f5528b.dat
C:\03c6a4ac13e12267.dat
C:\156a30544ad7a6c6.dat
C:\1930d5005eb25d5d.dat
C:\330807d41972b528.dat
C:\426493e44f943816.dat
C:\514c3d2839c1298f.dat
C:\5cc127dc4a835e01.dat
C:\5d5707581761dfac.dat
C:\5f08277409cfd8da.dat
C:\6dced408f6d20c45.dat
C:\747257c8500711e8.dat
C:\8a61e940b12b411e.dat 
C:\8e390c44cb3fbfb0.dat
C:\955172d0ba13fb78.dat
C:\ab6200f8dc53cf04.dat
C:\dd5f4684950217fb.dat
C:\e35c6c702949cb01.dat
C:\WINDOWS\system32\drivers\NPF111.sys
C:\Program Files\desktop.ini
C:\Program Files\folder.htt
C:\WINDOWS\system32\aoqnabib.sys
C:\WINDOWS\system32\iujraler.sys
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 jimz84

jimz84
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 11 July 2008 - 05:00 PM

Thanks, Sam. I'll do it this evening. It looks like we can see the light from the end of the tunnel.

#13 jimz84

jimz84
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 12 July 2008 - 03:07 AM

Hi Sam, the following is the ComboFix by doing CFScript.txt. Thanks.

>>>>>>>>>>>>>>>>>>>>>>>>>

ComboFix 08-07-10.1 - jzhao 2008-07-12 0:42:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.266 [GMT -7:00]
Running from: C:\Documents and Settings\jzhao.GST-A58BF168D75\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jzhao.GST-A58BF168D75\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\02ab640cf7f5528b.dat
C:\03c6a4ac13e12267.dat
C:\156a30544ad7a6c6.dat
C:\1930d5005eb25d5d.dat
C:\330807d41972b528.dat
C:\426493e44f943816.dat
C:\514c3d2839c1298f.dat
C:\5cc127dc4a835e01.dat
C:\5d5707581761dfac.dat
C:\5f08277409cfd8da.dat
C:\6dced408f6d20c45.dat
C:\747257c8500711e8.dat
C:\8a61e940b12b411e.dat
C:\8e390c44cb3fbfb0.dat
C:\955172d0ba13fb78.dat
C:\ab6200f8dc53cf04.dat
C:\dd5f4684950217fb.dat
C:\e35c6c702949cb01.dat
C:\Program Files\desktop.ini
C:\Program Files\folder.htt
C:\WINDOWS\system32\aoqnabib.sys
C:\WINDOWS\system32\drivers\NPF111.sys
C:\WINDOWS\system32\iujraler.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\desktop.ini
C:\Program Files\folder.htt
C:\WINDOWS\system32\drivers\NPF111.sys
C:\WINDOWS\system32\fassaplo.sys
C:\WINDOWS\system32\fstlbsys.sys
C:\WINDOWS\system32\fxwlbime.sys
C:\WINDOWS\system32\fxzxbime.sys
C:\WINDOWS\system32\fzmsbwin.sys
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\iujraler.sys
C:\WINDOWS\system32\pmjhbhlp.sys
C:\WINDOWS\system32\sdjsakaq.sys
C:\WINDOWS\system32\spmybapi.sys
C:\WINDOWS\system32\spwdbapi.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_02AB640CF7F5528B
-------\Legacy_03C6A4AC13E12267
-------\Legacy_156A30544AD7A6C6
-------\Legacy_1930D5005EB25D5D
-------\Legacy_330807D41972B528
-------\Legacy_426493E44F943816
-------\Legacy_514C3D2839C1298F
-------\Legacy_5CC127DC4A835E01
-------\Legacy_5D5707581761DFAC
-------\Legacy_5F08277409CFD8DA
-------\Legacy_6DCED408F6D20C45
-------\Legacy_747257C8500711E8
-------\Legacy_8A61E940B12B411E
-------\Legacy_8E390C44CB3FBFB0
-------\Legacy_955172D0BA13FB78
-------\Legacy_AB6200F8DC53CF04
-------\Legacy_DD5F4684950217FB
-------\Legacy_E35C6C702949CB01
-------\Legacy_NPF111
-------\Legacy_ZEHOWUNM
-------\Service_02ab640cf7f5528b
-------\Service_03c6a4ac13e12267
-------\Service_156a30544ad7a6c6
-------\Service_1930d5005eb25d5d
-------\Service_330807d41972b528
-------\Service_426493e44f943816
-------\Service_514c3d2839c1298f
-------\Service_5cc127dc4a835e01
-------\Service_5d5707581761dfac
-------\Service_5f08277409cfd8da
-------\Service_6dced408f6d20c45
-------\Service_747257c8500711e8
-------\Service_8a61e940b12b411e
-------\Service_8e390c44cb3fbfb0
-------\Service_955172d0ba13fb78
-------\Service_ab6200f8dc53cf04
-------\Service_dd5f4684950217fb
-------\Service_e35c6c702949cb01
-------\Service_NPF111
-------\Service_Zehowunm


((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-11 19:51 . 2008-07-11 19:51 260 --a------ C:\WINDOWS\system32\kcoin32.ini
2008-07-10 22:35 . 2008-07-12 00:49 13,588 --a------ C:\WINDOWS\system32\wpa.dbl
2008-07-10 07:03 . 2008-07-10 07:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-10 06:54 . 2008-07-10 21:22 <DIR> d-------- C:\SDFix
2008-07-09 20:15 . 2008-07-09 20:15 <DIR> d-------- C:\Deckard
2008-07-09 20:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-08 22:42 . 2008-07-08 22:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 22:37 . 2008-07-07 22:37 <DIR> d-------- C:\Documents and Settings\Administrator.GST-A58BF168D75
2008-07-07 21:45 . 2008-07-07 21:58 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-07 21:45 . 2008-07-07 21:58 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-07 21:44 . 2008-07-07 21:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-07 21:44 . 2000-07-11 19:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-07-07 21:44 . 2008-07-12 00:50 1,173,792 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-07 21:44 . 2008-07-12 00:49 20,512 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-07 21:44 . 2008-07-12 00:48 16,748 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-07 21:44 . 2008-07-12 00:48 2,948 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-07 21:42 . 2008-07-07 21:42 <DIR> d-------- C:\kav
2008-06-26 19:46 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-26 19:46 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 02:43 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-11 02:40 --------- d-----w C:\Program Files\UltraEdit
2008-07-11 02:40 --------- d-----w C:\Program Files\TechSmith
2008-07-11 02:40 --------- d-----w C:\Program Files\Snapshot Viewer
2008-07-11 02:40 --------- d-----w C:\Program Files\Nero
2008-07-11 02:39 --------- d-----w C:\Program Files\MSN Messenger
2008-07-11 02:39 --------- d-----w C:\Program Files\Enigma Software Group
2008-07-11 02:39 --------- d-----w C:\Program Files\Accessories
2008-07-08 04:58 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-08 04:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-08 04:43 --------- d-----w C:\Documents and Settings\jzhao.GST-A58BF168D75\Application Data\AVG7
2008-07-08 04:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-07-08 04:34 --------- d--h--r C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-07-08 04:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-02 06:26 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-17 22:53 90,112 ----a-w C:\WINDOWS\DUMP6619.tmp
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2004-08-08 04:42 520 --sha-w C:\WINDOWS\system32\fassaplo_xxxxxxxxxxxxxxx.sys
.

------- Sigcheck -------

2004-08-04 05:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 05:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 05:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 05:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2004-08-04 05:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 05:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 05:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 05:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 05:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 05:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 09:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 02:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-04 05:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 05:55 2057600 1d659bfb788ed2ba45075624b748d249 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 01:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-01 18:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 09:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 02:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-04 05:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 07:17 2180352 8f0deab1f81fb83f9c5995853ce48b9f C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 02:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 03:23 1033216 177cedb5d8714a6bd4a56eaacc693cfd C:\WINDOWS\explorer.exe
2007-06-13 04:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 03:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 05:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 05:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

2004-08-04 05:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 05:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

2005-06-10 17:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 05:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 16:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
2005-06-10 16:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-10_19.52.49.49 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-11 02:44:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-12 07:49:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-07-10 14:04:08 6,295,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-11 04:01:34 6,299,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-07-10 14:04:08 258,048 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-11 04:01:34 258,048 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2004-08-04 12:00:00 19,456 ----a-w C:\WINDOWS\system32\arp_xxxxxxxxxxxxxx.exe
+ 2004-08-04 12:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmonssssss.exe
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Freedom Scientific\\Activator\\1.1\\FSACTIVATE.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\kav\\kis\\setup.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 15:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 b546c840a5787aad;b546c840a5787aad;C:\b546c840a5787aad.dat []
S3 d2e49fc0d8a8f197;d2e49fc0d8a8f197;C:\d2e49fc0d8a8f197.dat []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 00:58:30 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 00:50:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b546c840a5787aad]
"ImagePath"="\??\C:\b546c840a5787aad.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d2e49fc0d8a8f197]
"ImagePath"="\??\C:\d2e49fc0d8a8f197.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-12 0:58:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 07:58:40
ComboFix2.txt 2008-07-11 02:54:06

Pre-Run: 13,508,501,504 bytes free
Post-Run: 13,441,110,016 bytes free

263 --- E O F --- 2008-07-11 05:40:22

#14 jimz84

jimz84
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 12 July 2008 - 03:14 AM

The virus is still here! After reboot, the virus just came back as before. This is a tough one to get rid of. -Jimz84

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:28 AM

Posted 12 July 2008 - 09:40 AM

Hang in there! I think we've got it on the ropes now.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
b546c840a5787aad
d2e49fc0d8a8f197

File::
C:\d2e49fc0d8a8f197.dat
C:\b546c840a5787aad.dat
C:\WINDOWS\system32\ctfmonssssss.exe
C:\WINDOWS\system32\arp_xxxxxxxxxxxxxx.exe
C:\WINDOWS\system32\fassaplo_xxxxxxxxxxxxxxx.sys
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


==================


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users