Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troj_tibs.ckn And Troj_dldr.bl


  • This topic is locked This topic is locked
17 replies to this topic

#1 charismatic100

charismatic100

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 13 September 2008 - 06:35 PM

I am not able to successfully rid my computer of these pests. I have turned off System Restore and run Spybot, Symantec, Housecall and MacAfee Stinger. They have not been able to clean, quarantine, or delete the files. They are located in C:\Windows\Sysetm32\_c00B0297.dat and C:\Windows\System32\_c00B5C71.dat files respectively. I have tried to manually delet the files in Safe Mode. For the first instance I received a Cannot Delete: _c00B0297.dat. It is being used by another person or program. Close any programs that might be using the file and try again. For the second instance I received a Cannot Delete: _c00B5C71.dat. Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.

The following is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:04 PM, on 9/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Joe Smith\My Documents\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeality.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft

Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Joe Smith\Application

Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program

Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) -

https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O20 - Winlogon Notify: cc4da5d4382 - C:\WINDOWS\system32\__c00B5C71.dat
O20 - Winlogon Notify: __c00B0297 - C:\WINDOWS\system32\__c00B0297.dat
O23 - Service: DefWatch - Symantec Corporation - C:\Program

Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe

--
End of file - 4196 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:42 AM

Posted 26 September 2008 - 04:13 PM

Hello and welcome to BC


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
    Note: If you are using Windows Vista, right click at RSIT.exe and select 'Run as administrator'.

  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply please post back with the following reports:
  • RSIT log.txt
  • RSIT info.txt
  • Kaspersky report
*NOTE: Please make sure before posting the reports back that Word Wrap is un-checked in Notepad!
Notepad>Format, make sure there is no check mark next to Word Wrap.

Regards
SNOWHITE
Posted Image

#3 charismatic100

charismatic100
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 27 September 2008 - 03:20 PM

I understand. No problem. I was able to remove the files that denied access and things were working pretty well. However now there is a more persistent problem. The date/time keeps reverting to the year 2004 and my firewall gets turned off on reboot. I can not run the Symantec antivirus program...I receive a message that Another program is using this file. Received the same message when trying to run HiJackThis. I researched and was able to bypass that by renaming the HiJackThis file and running it with the new name. There are *.pif files that are shortcuts to MSDOS command line that I keep deleting only to have them reappear on reboot. I am receiving a Windows-No Disk Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c error message that does not go away. I also found services turned off when I could not access the Internet.
Posting the files that you have requested:
RISt info file

info.txt logfile of random's system information tool 1.02 2008-09-27 13:52:55

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adsense based PopAd-->C:\Program Files\Common Files\PushWare\Uninst.exe
America Online-->C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Coach Version 1.0(Build:20020605.1)-->C:\WINDOWS\AolCInUn.exe
HijackThis 2.0.2-->"C:\Documents and Settings\Joe Smith\My Documents\HiJackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HouseCall 6.6-->"C:\Documents and Settings\Joe Smith\Application Data\HouseCall 6.6\uninstaller.exe"
HP Customer Participation Program 7.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Document Viewer 7.0-->C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A-->C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP PSC & Officejet 4.2 Corporate Edition-->"C:\Program Files\HP\Digital Imaging\{AC1314E7-D28C-40A1-B322-80D2868D35CE}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update-->MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Ink Components-->"C:\Documents and Settings\All Users\Application Data\{02C45027-B817-41FE-A000-2799C43CEF41}\TabletComponents.exe" REMOVE=TRUE MODIFY=FALSE
网站排名工具条-->"C:\Program Files\zzToolBar\Uninstall.exe"
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
JGsoft EditPad Pro 6 DEMO 6.4.3-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\EditPadPro6\Deploy.log"
LiveUpdate 1.7 (Symantec Corporation)-->C:\Program Files\\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Money 2003 System Pack-->MsiExec.exe /I{02D5E8EE-0B08-4F2C-97D6-A400E77275FE}
Microsoft Money 2003-->MsiExec.exe /I{015A0855-1EF5-4C77-93DB-8E2FC6A495B5}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
OCR Software by I.R.I.S 7.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
OpenOffice.org 2.3-->MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
PDF Annotator 1.5.0.133-->"C:\Program Files\PDF Annotator\unins000.exe"
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Symantec AntiVirus Client-->MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB946627)-->"C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe -u
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0204
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

RIST log file

Logfile of random's system information tool 1.02 (written by random/random)
Run by Joe Smith at 2008-09-27 13:52:49
Microsoft Windows XP Professional Service Pack 2
System drive C: has 31 GB (80%) free of 38 GB
Total RAM: 511 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:53 PM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joe Smith\Desktop\RSIT.exe
C:\Program Files\trend micro\Joe Smith.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeality.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\PushWare\cpush.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Info cache - {285AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Aseo\pbhealth.dll
O2 - BHO: 网站排名工具条BHO - {489873CE-F3E1-44A3-8E89-04BE26BE4446} - C:\Program Files\zzToolBar\Toolbar_bho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: 网站排名工具条 - {0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35} - C:\Program Files\zzToolBar\ToolBand.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [internetnet] C:\WINDOWS\system32\wuauclt.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4702 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}]
CAdLogic Object - C:\Program Files\Common Files\PushWare\cpush.dll [2008-09-20 192512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]
C:\Program Files\Microsoft Money\System\mnyside.dll [2002-07-17 163906]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{285AB8C6-FB22-4D17-8834-064E2BA0A6F0}]
Info cache - C:\WINDOWS\Aseo\pbhealth.dll [2008-10-01 167936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{489873CE-F3E1-44A3-8E89-04BE26BE4446}]
网站排名工具条BHO - C:\Program Files\zzToolBar\Toolbar_bho.dll [2008-07-25 214384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-08-14 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35} - 网站排名工具条 - C:\Program Files\zzToolBar\ToolBand.dll [2008-07-25 214384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2002-07-30 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"internetnet"=C:\WINDOWS\system32\wuauclt.exe [2004-09-26 15872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"=C:\Program Files\Microsoft Money\System\mnyexpr.exe [2002-07-17 200767]
"cdloader"=C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\cdloader2.exe [2008-07-22 50520]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2007-12-08 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
C:\PROGRA~1\AMERIC~1.0\aoltray.exe [2001-11-27 32839]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2006-02-10 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2002-07-30 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=91000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\magicJack.exe"="C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\autorun.exe
shell\phone\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37d316cc-bbaa-11dc-9803-000347f7fbfb}]
shell\Auto\command - Start.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe


======List of files/folders created in the last 1 months======

2008-09-27 13:52:49 ----D---- C:\rsit
2008-09-27 13:52:49 ----D---- C:\Program Files\trend micro
2008-09-26 15:40:28 ----SH---- C:\6131t.exe
2008-09-12 16:54:16 ----D---- C:\Documents and Settings\Joe Smith\Application Data\HouseCall 6.6
2008-09-12 13:00:15 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-09-12 12:43:32 ----D---- C:\Documents and Settings\All Users\Application Data\Avg7
2008-09-12 12:13:23 ----D---- C:\Documents and Settings\Joe Smith\Application Data\JGsoft
2008-09-12 12:12:33 ----D---- C:\Program Files\JGsoft
2008-09-12 12:12:33 ----A---- C:\WINDOWS\UnDeploy.exe
2008-09-12 10:14:03 ----A---- C:\WINDOWS\vpc32.INI
2008-09-11 21:14:11 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-11 21:06:51 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-11 20:21:08 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-11 20:19:28 ----D---- C:\Program Files\Symantec
2008-09-11 20:19:27 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-11 20:19:22 ----D---- C:\Program Files\Symantec_Client_Security
2008-09-11 20:19:22 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-09-10 03:00:41 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-01 21:12:35 ----D---- C:\Documents and Settings\Joe Smith\Application Data\mjusbsp
2008-08-31 12:18:48 ----D---- C:\WINDOWS\system32\LogFiles

======List of files/folders modified in the last 1 months======

2008-09-27 13:52:49 ----RD---- C:\Program Files
2008-09-21 08:27:23 ----D---- C:\Program Files\America Online 7.0
2008-09-21 08:26:10 ----A---- C:\WINDOWS\win.ini
2008-09-20 17:38:46 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-20 16:56:30 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-09-13 07:17:11 ----D---- C:\Program Files\Internet Explorer
2008-09-12 16:40:55 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-12 13:17:24 ----SHD---- C:\RECYCLER
2008-09-12 13:00:19 ----SHD---- C:\WINDOWS\Installer
2008-09-12 13:00:19 ----HD---- C:\Config.Msi
2008-09-12 13:00:15 ----A---- C:\WINDOWS\OEWABLog.txt
2008-09-12 12:43:32 ----D---- C:\WINDOWS\system
2008-09-12 12:43:08 ----SD---- C:\Documents and Settings\Joe Smith\Application Data\Microsoft
2008-09-12 11:42:17 ----D---- C:\Program Files\Adobe
2008-09-11 21:12:18 ----D---- C:\WINDOWS\system32\Restore
2008-09-11 19:03:48 ----D---- C:\Documents and Settings\Joe Smith\Application Data\OpenOffice.org2
2008-09-10 03:00:46 ----HD---- C:\WINDOWS\inf
2008-09-10 03:00:42 ----D---- C:\WINDOWS\WinSxS
2008-09-10 03:00:21 ----HD---- C:\WINDOWS\$hf_mig$
2008-09-01 20:53:09 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2007-12-08 8552]
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 ati2mtaa;ati2mtaa; C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 327040]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 netwg311;NETGEAR WG311v2 802.11g Wireless PCI Adapter; C:\WINDOWS\system32\DRIVERS\netwg311.sys [2004-06-18 386688]
R3 npf;npf; \??\C:\WINDOWS\system32\drivers\npf.sys []
R3 odysseyIM3;Odyssey Network Services Miniport; C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-12-08 62865]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2001-09-27 28396]
R4 dog0725;dog0725; \??\C:\Documents and Settings\Joe Smith\Desktop\obj2.sys []
S3 NAVAP;NAVAP; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080919.007\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080919.007\NAVEX15.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 DefWatch;DefWatch; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe [2002-07-30 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe [2002-07-30 573440]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
R2 WANMiniportService;WAN Miniport (ATW) Service; C:\WINDOWS\wanmpsvc.exe [2001-11-26 65536]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]

-----------------EOF-----------------

Kaspersy report

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 27, 2008 19:08:22
Records in database: 1266255


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 46247
Threat name 14
Infected objects 36
Suspicious objects 0
Duration of the scan 01:40:05

File name Threat name Threats count
C:\WINDOWS\system32\wuauclt.exe//PE_Patch.PECompact//PecBundle//PECompact//PE-Crypt.Morf/C:\WINDOWS\system32\wuauclt.exe//PE_Patch.PECompact//PecBundle//PECompact//PE-Crypt.Morf Infected: Worm.Win32.AutoRun.pdk 1

C:\Program Files\Common Files\PushWare\cpush.dll/C:\Program Files\Common Files\PushWare\cpush.dll Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\WINDOWS\Aseo\pbhealth.dll/C:\WINDOWS\Aseo\pbhealth.dll Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Program Files\zzToolBar\Toolbar_bho.dll/C:\Program Files\zzToolBar\Toolbar_bho.dll Infected: Trojan.Win32.Agent.abpb 1

C:\6131t.exe Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\10.pif Infected: Trojan.Win32.Agent.abpb 1

C:\Documents and Settings\2.pif Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\3.pif Infected: Trojan-Downloader.Win32.Delf.epw 1

C:\Documents and Settings\6.pif Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\Documents and Settings\9.pif Infected: Trojan-GameThief.Win32.OnLineGames.tlbg 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04AC0000.VBN Infected: Trojan.Win32.Inject.gto 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04AC0001.VBN Infected: Trojan.Win32.Inject.gto 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04AC0002.VBN Infected: not-a-virus:AdWare.Win32.Agent.ekj 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04AC0003.VBN Infected: Trojan.Win32.Inject.gto 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05240000.VBN Infected: not-a-virus:AdWare.Win32.Agent.ekj 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\1EJLHUGY\10[1].exe Infected: Trojan.Win32.Agent.abpb 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\2Y7P9FH7\9[1].exe Infected: Trojan-GameThief.Win32.OnLineGames.tlbg 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\436J8ROZ\3[1].exe Infected: Trojan-Downloader.Win32.Delf.epw 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\436J8ROZ\next2[1].htm Infected: Exploit.Win32.PowerPlay.a 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\4NGH0ZWF\2[1].exe Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\91CQKVT3\6[1].exe Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\F3DPT9HE\1[1].exe Infected: Trojan-Spy.Win32.Delf.egt 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\HH6MM4QD\flashmm[1].exe Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\N698XZVV\5[1].exe Infected: Trojan-Dropper.Win32.Agent.xgq 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\N698XZVV\mm[1].exe Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\Joe Smith\Local Settings\Temporary Internet Files\Content.IE5\XCHLVDXF\x[1].gif Infected: not-a-virus:AdWare.Win32.FindSpy.j 1

C:\h.pif Infected: Worm.Win32.AutoRun.pdk 1

C:\HERO.PIF Infected: Worm.Win32.AutoRun.pdk 1

C:\Program Files\Common Files\PushWare\cpush.dll Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\Program Files\ef.pif Infected: not-a-virus:AdWare.Win32.FindSpy.j 1

C:\Program Files\zzToolBar\Toolbar_bho.dll Infected: Trojan.Win32.Agent.abpb 1

C:\temp.temp Infected: Worm.Win32.AutoRun.pdk 1

C:\WINDOWS\Aseo\pbhealth.dll Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\WINDOWS\system32\conime.exe Infected: Trojan-Downloader.Win32.Tiny.bvv 1

C:\WINDOWS\system32\waclt.exe Infected: not-a-virus:NetTool.Win32.Agent.b 1

C:\WINDOWS\system32\wuauclt.exe Infected: Worm.Win32.AutoRun.pdk 1

The selected area was scanned.

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:42 AM

Posted 30 September 2008 - 12:16 PM

Hello charismatic100,

You have some bad collection of malwares there, please follow my advice :

First, I would like to take a closer look at couple of files in there, so upload them:

Click on this link:
http://www.bleepingcomputer.com/submit-malware.php?channel=29

Copy&Paste this filepath:C:\6131t.exe
Into the Browse box for uploading files, or click into it and paste the filepath at the File Name empty box, click on the Open button, then click on the Send File button.

Wait for message like "File was successfully submited" to show up.

Repeat the same for the following files:

C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\conime.exe


Thank you.

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • Adsense based PopAd
  • 网站排名工具条
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\PushWare\cpush.dll
O2 - BHO: Info cache - {285AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\Aseo\pbhealth.dll
O2 - BHO: 网站排名工具条BHO - {489873CE-F3E1-44A3-8E89-04BE26BE4446} - C:\Program Files\zzToolBar\Toolbar_bho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: 网站排名工具条 - {0A1230F1-EB52-4CA3-9D34-DE2ABC2EED35} - C:\Program Files\zzToolBar\ToolBand.dll
O4 - HKLM\..\Policies\Explorer\Run: [internetnet] C:\WINDOWS\system32\wuauclt.exe


Then close all windows except HijackThis and click Fix Checked.

Restart

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    C:\6131t.exe
    C:\Program Files\Common Files\PushWare
    C:\WINDOWS\Aseo
    C:\Program Files\zzToolBar
    C:\WINDOWS\vpc32.INI
    C:\Documents and Settings\10.pif
    C:\Documents and Settings\2.pif
    C:\Documents and Settings\3.pif
    C:\Documents and Settings\6.pif
    C:\Documents and Settings\9.pif
    C:\h.pif
    C:\HERO.PIF
    C:\Program Files\ef.pif
    C:\temp.temp
    C:\WINDOWS\system32\waclt.exe
    :Commands
    [EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next:

Lets proceed with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:


OTMoveIt report
C:\ComboFix.txt
New HijackThis log.


Also do you use Flashdrive or USB ?

Regards

Edited by SNOWHITE, 30 September 2008 - 12:22 PM.

SNOWHITE
Posted Image

#5 charismatic100

charismatic100
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 02 October 2008 - 02:23 PM

I have uploaded the files that you requested. I am working my way down the list of things that you need me to do. I am unable to enable the Show hidden files and folders option. It changes back to default every time.
Will let you know more as I move down the list.

#6 charismatic100

charismatic100
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 02 October 2008 - 02:43 PM

Yes, I do use USB/Flash drive.

#7 charismatic100

charismatic100
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 02 October 2008 - 04:30 PM

OTMoveIt report

========== FILES ==========
C:\6131t.exe moved successfully.
C:\Program Files\Common Files\PushWare moved successfully.
C:\WINDOWS\Aseo moved successfully.
C:\Program Files\zzToolBar moved successfully.
C:\WINDOWS\vpc32.INI moved successfully.
C:\Documents and Settings\10.pif moved successfully.
C:\Documents and Settings\2.pif moved successfully.
C:\Documents and Settings\3.pif moved successfully.
C:\Documents and Settings\6.pif moved successfully.
C:\Documents and Settings\9.pif moved successfully.
C:\h.pif moved successfully.
C:\HERO.PIF moved successfully.
C:\Program Files\ef.pif moved successfully.
C:\temp.temp moved successfully.
C:\WINDOWS\system32\waclt.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\JOESMI~1\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\~myE.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.2.2 log created on 10022004_154507

Files moved on Reboot...
C:\DOCUME~1\JOESMI~1\LOCALS~1\Temp\hpodvd09.log moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\~myE.tmp not found!


ComboFix.txt

ComboFix 08-10-01.06 - Joe Smith 2008-10-02 16:38:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.245 [GMT -4:00]
Running from: C:\Documents and Settings\Joe Smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joe Smith\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\h.pif
C:\Program Files\Common Files\PushWare
C:\Program Files\Common Files\PushWare\cpush.dll
C:\Program Files\Common Files\PushWare\Uninst.exe
C:\Program Files\ef.pif
C:\Program Files\zzToolBar
C:\Program Files\zzToolBar\IP.dat
C:\Program Files\zzToolBar\SearchEngineConfig
C:\Program Files\zzToolBar\ToolBand.dll
C:\Program Files\zzToolBar\Toolbar_bho.dll
C:\Program Files\zzToolBar\uISGRLFile.dat
C:\Program Files\zzToolBar\Uninstall.exe
C:\strategy.txt
C:\WINDOWS\Aseo\pbhealth.dll
C:\WINDOWS\KB611311.log
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\gprmsgse.axz
C:\WINDOWS\system32\gscpx32r.det
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\waclt.exe
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\~my1.tmp
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_NPF
-------\Service_acpidisk
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
.

2008-09-27 13:52 . 2008-09-27 13:54 <DIR> d-------- C:\rsit
2008-09-27 13:52 . 2008-09-27 13:52 <DIR> d-------- C:\Program Files\trend micro
2008-09-13 09:06 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-12 16:54 . 2008-09-13 16:59 <DIR> d-------- C:\Documents and Settings\Joe Smith\Application Data\HouseCall 6.6
2008-09-12 16:40 . 2008-09-13 09:05 <DIR> d-------- C:\Documents and Settings\Joe Smith\.housecall6.6
2008-09-12 13:00 . 2008-09-12 13:00 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-12 13:00 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-12 12:43 . 2008-09-12 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-09-12 12:13 . 2008-09-12 12:13 <DIR> d-------- C:\Documents and Settings\Joe Smith\Application Data\JGsoft
2008-09-12 12:12 . 2008-09-12 12:12 <DIR> d-------- C:\Program Files\JGsoft
2008-09-12 12:12 . 2008-08-05 03:01 67,208 --a------ C:\WINDOWS\UnDeploy.exe
2008-09-11 21:06 . 2008-09-11 21:06 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-11 20:21 . 2008-09-11 20:18 123,619 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-09-11 20:21 . 2008-09-11 20:18 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-11 20:21 . 2008-09-11 20:18 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-11 20:19 . 2008-09-11 20:19 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-09-11 20:19 . 2008-09-11 20:21 <DIR> d-------- C:\Program Files\Symantec
2008-09-11 20:19 . 2008-09-11 20:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-09-11 20:19 . 2008-09-11 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 12:27 --------- d-----w C:\Program Files\America Online 7.0
2008-09-20 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-20 20:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-20 20:52 --------- d-----w C:\Documents and Settings\Joe Smith\Application Data\mjusbsp
2008-09-11 23:03 --------- d-----w C:\Documents and Settings\Joe Smith\Application Data\OpenOffice.org2
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2004-06-18 04:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 18:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 18:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"cdloader"="C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 50520]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 03:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-12-08 10:45 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Documents and Settings\\Joe Smith\\Application Data\\mjusbsp\\magicJack.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 327040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\phone\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37d316cc-bbaa-11dc-9803-000347f7fbfb}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.freeality.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 16:46:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-02 16:49:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-02 20:49:46

Pre-Run: 32,275,922,944 bytes free
Post-Run: 32,215,711,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

180 --- E O F --- 2008-09-10 07:00:47


New HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:14 PM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Joe Smith\My Documents\HiJackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeality.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4428 bytes

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:42 AM

Posted 08 October 2008 - 08:18 AM

Hello charismatic100,

Sorry for the delay :thumbsup: .. Can you tell me for what is used drive F ?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

    Java 6 Update 3

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Post back with MBAM report and new RSIT log.txt, let me know how is the computer running.

Regards
SNOWHITE
Posted Image

#9 charismatic100

charismatic100
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 10 October 2008 - 03:35 PM

F: drive is used for MagicJack, phone over Internet.
www.magicjack.com

Reappearance of 网站排名工具条 in Add/Remove programs list and msdos shortcut to .pif file on desktop. Ran everything again and they are gone for now. I will post back in a couple of days to let you know if it is gone for good this time. Followed instructions for JRE.
Malwarebytes log and RSIT log follow:

Malwarebytes' Anti-Malware 1.28
Database version: 1252
Windows 5.1.2600 Service Pack 2

10/10/2008 4:16:52 PM
mbam-log-2008-10-10 (16-16-52).txt

Scan type: Quick Scan
Objects scanned: 44111
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
----------------------------------------------------------------------------------
New RSIT log

Logfile of random's system information tool 1.02 (written by random/random)
Run by Joe Smith at 2008-10-10 16:22:14
Microsoft Windows XP Professional Service Pack 2
System drive C: has 31 GB (81%) free of 38 GB
Total RAM: 511 MB (48% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:24 PM, on 10/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Joe Smith\Desktop\RSIT.exe
C:\Program Files\trend micro\Joe Smith.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeality.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4659 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]
C:\Program Files\Microsoft Money\System\mnyside.dll [2002-07-17 163906]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-08-14 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2002-07-30 77824]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"=C:\Program Files\Microsoft Money\System\mnyexpr.exe [2002-07-17 200767]
"cdloader"=C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\cdloader2.exe [2008-07-22 50520]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2007-12-08 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
C:\PROGRA~1\AMERIC~1.0\aoltray.exe [2001-11-27 32839]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2006-02-10 73728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2002-07-30 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\magicJack.exe"="C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\autorun.exe
shell\phone\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37d316cc-bbaa-11dc-9803-000347f7fbfb}]
shell\Auto\command - Start.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe


======List of files/folders created in the last 1 months======

2008-10-10 16:11:43 ----D---- C:\Documents and Settings\Joe Smith\Application Data\Malwarebytes
2008-10-10 16:11:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-10 16:11:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-10 15:50:23 ----D---- C:\WINDOWS\system32\appmgmt
2008-10-10 15:43:43 ----A---- C:\WINDOWS\system32\javaws.exe
2008-10-10 15:43:43 ----A---- C:\WINDOWS\system32\javaw.exe
2008-10-10 15:43:43 ----A---- C:\WINDOWS\system32\java.exe
2008-10-10 14:44:28 ----A---- C:\WINDOWS\vpc32.INI
2008-10-02 16:49:53 ----D---- C:\WINDOWS\temp
2008-10-02 16:49:51 ----A---- C:\ComboFix.txt
2008-10-02 16:38:20 ----A---- C:\Boot.bak
2008-10-02 16:38:13 ----D---- C:\cmdcons
2008-10-02 16:37:43 ----D---- C:\WINDOWS\erdnt
2008-10-02 16:37:17 ----D---- C:\QooBox
2008-10-02 16:37:16 ----A---- C:\WINDOWS\zip.exe
2008-10-02 16:37:16 ----A---- C:\WINDOWS\VFind.exe
2008-10-02 16:37:16 ----A---- C:\WINDOWS\swxcacls.exe
2008-10-02 16:37:16 ----A---- C:\WINDOWS\SWSC.exe
2008-10-02 16:37:16 ----A---- C:\WINDOWS\SWREG.exe
2008-10-02 16:37:16 ----A---- C:\WINDOWS\sed.exe
2008-10-02 16:37:16 ----A---- C:\WINDOWS\Nircmd.exe
2008-10-02 16:37:16 ----A---- C:\WINDOWS\grep.exe
2008-10-02 16:37:16 ----A---- C:\WINDOWS\fdsv.exe
2008-09-27 13:52:49 ----D---- C:\rsit
2008-09-27 13:52:49 ----D---- C:\Program Files\trend micro
2008-09-12 16:54:16 ----D---- C:\Documents and Settings\Joe Smith\Application Data\HouseCall 6.6
2008-09-12 13:00:15 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-09-12 12:43:32 ----D---- C:\Documents and Settings\All Users\Application Data\Avg7
2008-09-12 12:13:23 ----D---- C:\Documents and Settings\Joe Smith\Application Data\JGsoft
2008-09-12 12:12:33 ----D---- C:\Program Files\JGsoft
2008-09-12 12:12:33 ----A---- C:\WINDOWS\UnDeploy.exe
2008-09-11 21:14:11 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-11 21:06:51 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-11 20:21:08 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-11 20:19:28 ----D---- C:\Program Files\Symantec
2008-09-11 20:19:27 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-11 20:19:22 ----D---- C:\Program Files\Symantec_Client_Security
2008-09-11 20:19:22 ----D---- C:\Program Files\Common Files\Symantec Shared

======List of files/folders modified in the last 1 months======

2008-10-10 16:12:19 ----D---- C:\WINDOWS\Prefetch
2008-10-10 16:12:18 ----D---- C:\WINDOWS\system32\drivers
2008-10-10 16:11:38 ----RD---- C:\Program Files
2008-10-10 16:10:19 ----D---- C:\WINDOWS\system32
2008-10-10 16:10:19 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-10 16:06:20 ----D---- C:\WINDOWS
2008-10-10 16:06:09 ----D---- C:\Documents and Settings\Joe Smith\Application Data\mjusbsp
2008-10-10 15:58:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-10 15:50:23 ----SHD---- C:\WINDOWS\Installer
2008-10-10 15:50:23 ----HD---- C:\Config.Msi
2008-10-10 15:50:21 ----D---- C:\Program Files\Java
2008-10-10 15:46:43 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-10 15:06:49 ----D---- C:\WINDOWS\Aseo
2008-10-10 14:52:18 ----D---- C:\Documents and Settings
2008-10-10 14:46:27 ----HD---- C:\WINDOWS\inf
2008-10-10 14:44:14 ----SHD---- C:\System Volume Information
2008-10-10 14:44:14 ----D---- C:\WINDOWS\system32\Restore
2008-10-10 14:34:04 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-09 09:54:09 ----D---- C:\Documents and Settings\Joe Smith\Application Data\OpenOffice.org2
2008-10-09 07:13:48 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-02 16:49:33 ----D---- C:\WINDOWS\repair
2008-10-02 16:46:47 ----A---- C:\WINDOWS\system.ini
2008-10-02 16:40:16 ----D---- C:\WINDOWS\system32\config
2008-10-02 16:39:37 ----D---- C:\WINDOWS\AppPatch
2008-10-02 16:39:37 ----D---- C:\Program Files\Common Files
2008-10-02 16:38:20 ----RASH---- C:\boot.ini
2008-09-21 08:27:23 ----D---- C:\Program Files\America Online 7.0
2008-09-21 08:26:10 ----A---- C:\WINDOWS\win.ini
2008-09-20 17:38:46 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-20 16:56:30 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-09-13 07:17:11 ----D---- C:\Program Files\Internet Explorer
2008-09-12 13:00:15 ----A---- C:\WINDOWS\OEWABLog.txt
2008-09-12 12:43:32 ----D---- C:\WINDOWS\system
2008-09-12 12:43:08 ----SD---- C:\Documents and Settings\Joe Smith\Application Data\Microsoft
2008-09-12 11:42:17 ----D---- C:\Program Files\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2007-12-08 8552]
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 ati2mtaa;ati2mtaa; C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 327040]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 NAVAP;NAVAP; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081010.004\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081010.004\NAVEX15.sys []
R3 netwg311;NETGEAR WG311v2 802.11g Wireless PCI Adapter; C:\WINDOWS\system32\DRIVERS\netwg311.sys [2004-06-18 386688]
R3 odysseyIM3;Odyssey Network Services Miniport; C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-12-08 62865]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2001-09-27 28396]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 DefWatch;DefWatch; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe [2002-07-30 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe [2002-07-30 573440]
R2 WANMiniportService;WAN Miniport (ATW) Service; C:\WINDOWS\wanmpsvc.exe [2001-11-26 65536]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]

-----------------EOF-----------------

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:42 AM

Posted 13 October 2008 - 03:04 PM

Hello charismatic100,

  • 1 - Go Here and download ERUNT
    Double click erunt-setup.exe and follow the prompts for installing ERUNT using the default settings.
    At the prompt that asks you to add ERUNT to the start-up folder, answer No, (you can enable this option later).

    2 - Start ERUNT
    At the dialog box asking where to save registry backup, leave the default location on.
    Default location should be this: "C:\WINDOWS\ERDNT\7-4-2008" <-- where numbers differs depending of the current date.

    Make sure that there is a check mark next to these options:
    • System registry
    • Curent user registry
  • Click OK
  • Answer YES at the prompt asking to create the folder.
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:FFFFFFFF

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37d316cc-bbaa-11dc-9803-000347f7fbfb}]
The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Locate fixme.reg on your Desktop and double-click on it. It should look like this -> Posted Image
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Please make sure you have plugged in the flashdrive/usb as while doing the online scan!

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Reappearance of 网站排名工具条 in Add/Remove programs list and msdos shortcut to .pif file on desktop. Ran everything again and they are gone for now. I will post back in a couple of days to let you know if it is gone for good this time


Let me know if you are still getting reinfected, or the computer is stable now.

Post back with kaspersky online scan report and fresh HijackThis log.

Regards
SNOWHITE
Posted Image

#11 charismatic100

charismatic100
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 22 October 2008 - 06:56 PM

Sorry to be so long...The online scan did not finish before I had to leave for an out of town job.
Computer seems to be running fine now.

Kaspersky report:

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, October 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, October 20, 2008 06:28:43
Records in database: 1324225


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 52237
Threat name 18
Infected objects 74
Suspicious objects 0
Duration of the scan 02:35:58

File name Threat name Threats count
C:\Documents and Settings\6.pif Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03BC0000.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04AC0000.VBN Infected: Trojan.Win32.Inject.gto 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04AC0001.VBN Infected: Trojan.Win32.Inject.gto 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04AC0002.VBN Infected: not-a-virus:AdWare.Win32.Agent.ekj 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04AC0003.VBN Infected: Trojan.Win32.Inject.gto 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05240000.VBN Infected: not-a-virus:AdWare.Win32.Agent.ekj 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08A40000.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09740000.VBN Infected: Trojan.Win32.Agent.afmi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09780000.VBN Infected: Trojan.Win32.Agent.afmi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A7C0000.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A840000.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A880000.VBN Infected: Trojan-Downloader.Win32.Agent.ajiu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A880001.VBN Infected: Worm.Win32.AutoRun.mir 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600002.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600003.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600004.VBN Infected: Trojan-Downloader.Win32.Delf.epw 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600005.VBN Infected: Trojan-Downloader.Win32.Delf.epw 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600006.VBN Infected: Trojan.Win32.Pakes.dgi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600007.VBN Infected: Trojan.Win32.Pakes.dgi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600008.VBN Infected: Trojan-GameThief.Win32.OnLineGames.tmmr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600009.VBN Infected: Trojan-GameThief.Win32.OnLineGames.tmmr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60000A.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60000B.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60000E.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60000F.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600010.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600011.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600012.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600013.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600014.VBN Infected: not-a-virus:NetTool.Win32.Agent.b 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600015.VBN Infected: not-a-virus:NetTool.Win32.Agent.b 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600016.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600017.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600018.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600019.VBN Infected: Worm.Win32.AutoRun.pxq 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60001A.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60001B.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60001C.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60001D.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60001E.VBN Infected: Trojan-Spy.Win32.Delf.ejj 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60001F.VBN Infected: Trojan-Spy.Win32.Delf.ejj 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600020.VBN Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600021.VBN Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600024.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600025.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600026.VBN Infected: Trojan-Downloader.Win32.Delf.epw 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600027.VBN Infected: Trojan-Downloader.Win32.Delf.epw 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600028.VBN Infected: Trojan-GameThief.Win32.OnLineGames.tmmr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600029.VBN Infected: Trojan-GameThief.Win32.OnLineGames.tmmr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60002A.VBN Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60002B.VBN Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60002C.VBN Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60002D.VBN Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60002E.VBN Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C60002F.VBN Infected: Worm.Win32.AutoRun.pdk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600030.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.sxy 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600031.VBN Infected: not-a-virus:NetTool.Win32.Agent.b 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C600032.VBN Infected: not-a-virus:NetTool.Win32.Agent.b 1

C:\Documents and Settings\Joe Smith\My Documents\HiJackThis\backups\backup-20041002-161657-198.dll Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\QooBox\Quarantine\C\Program Files\Common Files\PushWare\cpush.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\QooBox\Quarantine\C\Program Files\ef.pif.vir Infected: Worm.Win32.AutoRun.pxp 1

C:\WINDOWS\system32\cnxcis.dll Infected: Trojan-Spy.Win32.Agent.ekn 1

C:\WINDOWS\system32\msjdbc10s.dll Infected: Trojan-Spy.Win32.Agent.ekn 1

C:\WINDOWS\system32\wiavusds.dll Infected: Trojan-Spy.Win32.Agent.ekn 1

C:\_OTMoveIt\MovedFiles\10022004_154507\Documents and Settings\6.pif Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\_OTMoveIt\MovedFiles\10022004_154507\Program Files\Common Files\PushWare\cpush.dll Infected: not-a-virus:AdWare.Win32.BHO.dbj 1

C:\_OTMoveIt\MovedFiles\10022004_154507\Program Files\ef.pif Infected: Worm.Win32.AutoRun.pxp 1

F:\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1

F:\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

F:\Bgccf Flash\vnc-4_1_2-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4

The selected area was scanned.
--------------------------------------------------------------------------------------------------------------------
Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:11 PM, on 10/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Joe Smith\My Documents\HiJackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeality.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Joe Smith\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4468 bytes

#12 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:42 AM

Posted 26 October 2008 - 03:55 PM

Hello charismatic100 :thumbsup:

  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    C:\Documents and Settings\6.pif
    C:\WINDOWS\system32\cnxcis.dll
    C:\WINDOWS\system32\msjdbc10s.dll
    C:\WINDOWS\system32\wiavusds.dll
    :Commands
    [EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Open Norton AntiVirus by double clicking the 'Shield' icon located in the right hand bottom corner of your computer screen.
Double click the 'View' folder. It is located on the left side of the Norton AntiVirus window. This will expand the folder and display the contents. Click on the 'Quarantine' icon. The right side of the Norton AntiVirus window will now list the contents of your quarantine folder.
Select the item you wish to remove and click on RED 'X' icon to delete it. This will open the 'Take Action' window. Click the 'Start Delete' button to remove the infected file from your computer.
Repeat for any other quarantined files you want to remove.
When you are done removing files, click the 'Exit' button in the bottom left hand corner of the Norton AntiVirus window.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Important! Please do not select the "Show all" checkbox during the scan..

Run online scan with the ESET Online Scanner
Note: You need to use Internet Explorer
  • Place a checkmark at the box next to YES, I accept the Terms of Use.
  • Click on the Start button.
  • Allow the ActiveX control to install.
  • Click on the Start button.
  • Place a checkmark next to Remove found threats and Scan unwanted applications, then click on Scan
  • When the scan is done close the Internet Explorer.
  • Click Start>Run, into the Run box paste this filepath:

    • C:\Program Files\EsetOnlineScanner\log.txt
  • Press OK button.
  • The report from the scan will be opened in Notepad, copy and paste the results as a reply to this topic.
Please post back with OTMoveIt3 report, Gmer report, report from ESET Online Scanner and fresh HijackThis log.

Let me know how is the computer running.

Best regards
SNOWHITE
Posted Image

#13 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:42 AM

Posted 26 October 2008 - 03:59 PM

Also please let me know is your antivirus program working properly.
SNOWHITE
Posted Image

#14 charismatic100

charismatic100
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 27 October 2008 - 07:18 AM

SnoWhite,
I did not check the board before going to bed last night. Sorry. I will not be back until Wednesday night. I will follow the next steps when I get back home. I have also installed the latest Windows update.
I thought that my antivirus program was working correctly. What would I be looking for if it is not?

#15 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:42 AM

Posted 31 October 2008 - 02:50 PM

Hello charismatic100 :thumbsup:

I thought that my antivirus program was working correctly. What would I be looking for if it is not?


You should have icon in the tray that looks like golden shield, if the icon is grayed, locked or does not appear in the tray then it means Norton is not working properly, you should also see if the Virus Definition File is up to date.

I will follow the next steps when I get back home.


I hope everything is well with you. Can see the new reports ?

Regards
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users