[Kohkane]

Hello!!! I followed the guide you have on removing the Outerinfo spyware. Ive downloaded Combofix, AVG Anti-Spyware, and Hijack This, and I followed all the steps carefully. After using Combofix and AVG-AS and rebooting, the infection seemed to have been removed, so I figured it wouldn't be necessary to post the logs and report. Then it came back, but now it doesn't appear as "Outerinfo". It just shows up as three icons at the bottom right of the screen that issue me warnings about a system infection and recommend some anti-spyware software. Every once in a while I'll get flooded by pop-ups. I re-did the whole process and its still there. So I downloaded Hijack This and now I'm going to post the logs so you can hopefully help me remove whats left of the infection.


COMBOFIX LOG:

ComboFix 08-02.02.5 - owner 2008-02-03 0:53:44.4 - NTFSx86
Running from: C:\Documents and Settings\owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 19:20 . 2008-02-02 19:20 <DIR> d-------- C:\Documents and Settings\owner\Application Data\Grisoft
2008-02-02 19:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 13:47 . 2008-02-02 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 13:00 . 2008-02-02 13:00 103,936 --a------ C:\WINDOWS\system32\drvnuc.dll
2008-02-02 13:00 . 2008-02-02 13:00 18,944 --a------ C:\WINDOWS\system32\drvsih.dll
2008-02-02 12:39 . 2008-02-02 12:39 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 09:11 . 2008-02-02 15:56 <DIR> d-------- C:\Program Files\Steam
2008-01-23 14:57 . 2008-01-28 17:07 <DIR> d-------- C:\Program Files\PartyGaming.Net
2008-01-04 18:29 . 2008-01-04 18:29 268 --ah----- C:\sqmdata10.sqm
2008-01-04 18:29 . 2008-01-04 18:29 244 --ah----- C:\sqmnoopt10.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 05:58 --------- d-----w C:\Documents and Settings\owner\Application Data\BitTorrent
2008-02-03 05:53 0 ----a-w C:\reg.reg
2008-02-02 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-02 15:57 99,857 ----a-w C:\WINDOWS\hmzotada.exe
2008-02-02 15:57 99,857 ------w C:\WINDOWS\system32\rxjddnvj.exe
2008-02-02 15:57 65,536 ----a-w C:\evvr.exe
2008-02-02 15:57 49,152 ----a-w C:\WINDOWS\fonetgti.exe
2008-02-02 15:57 44,032 ----a-w C:\dcmqd.exe
2008-02-02 15:57 256,000 ----a-w C:\WINDOWS\system32\apiuser32.dll
2008-02-02 15:57 19,024 ----a-w C:\cjbnqf.exe
2008-02-02 15:57 134,656 ----a-w C:\WINDOWS\zijolelc.dll
2008-02-02 15:57 --------- d-----w C:\Program Files\DNA
2008-02-02 15:51 --------- d-----w C:\Documents and Settings\owner\Application Data\DNA
2008-01-25 12:05 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-25 12:05 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-16 04:01 --------- d-----w C:\Program Files\New Folder
2008-01-09 04:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-02 23:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-01 21:30 --------- d-----w C:\Program Files\BitTorrent
2007-12-30 00:14 --------- d-----w C:\Program Files\eFax Messenger 4.3
2007-12-30 00:14 --------- d-----w C:\Documents and Settings\owner\Application Data\eFax Messenger
2007-12-30 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2007-12-20 01:47 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-20 01:47 --------- d-----w C:\Program Files\DivX
2007-12-07 00:59 --------- d-----w C:\Program Files\CCP
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-09-25 22:22 19,952 -c--a-w C:\Documents and Settings\owner\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 19:00 49,152 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-04-11 18:50 958464]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 22528]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2008-02-01 18:45 587568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 40960]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 163840]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1634304 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 294912]
"iTunesHelper"="F:\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 123392]
"drmsrv32"="C:\dcmqd.exe" [2008-02-02 10:57 44032]
"MSDisp32"="C:\WINDOWS\system32\drvsih.dll" [2008-02-02 13:00 18944]
"MSDrive"="C:\WINDOWS\system32\drvnuc.dll" [2008-02-02 13:00 103936]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-11-30 17:46:34 263168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-12-29 19:12:44 636416]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
REALTEK RTL8185 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe [2007-08-17 17:19:00 741376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BurnWin"= {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll [2008-02-02 10:57 256000]
"zip"= {92df37c5-78ce-431e-9de5-37f677a7cc09} - C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll [2008-02-02 13:02 38950]

S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 08:57]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 02:01:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-03 05:05:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 00:58:57
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 1:00:21
ComboFix-quarantined-files.txt 2008-02-03 06:00:03
ComboFix2.txt 2008-02-03 00:18:28
ComboFix3.txt 2008-02-02 18:34:58
.
2008-01-09 05:04:58 --- E O F ---






HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:29 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [drmsrv32] C:\dcmqd.exe
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvsih.dll,startup
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvnuc.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?434c099082c649299522546f90588202
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?434c099082c649299522546f90588202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll
O21 - SSODL: zip - {92df37c5-78ce-431e-9de5-37f677a7cc09} - C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

--
End of file - 6700 bytes




Any help would be much appreciated!
Thanks!

[Advertisements]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drvnuc.dll
C:\WINDOWS\system32\drvsih.dll
C:\WINDOWS\hmzotada.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\evvr.exe
C:\WINDOWS\fonetgti.exe
C:\dcmqd.exe
C:\WINDOWS\system32\apiuser32.dll
C:\cjbnqf.exe
C:\WINDOWS\zijolelc.dll
C:\dcmqd.exe

Folder::
C:\Program Files\DNA
C:\Documents and Settings\owner\Application Data\DNA

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [drmsrv32] C:\dcmqd.exe
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvsih.dll,startup
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvnuc.dll,startup

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\apiuser32.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


Repeat that for this file

C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll


Reboot and post a new HijackThis log

[Rorschach112]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drvnuc.dll
C:\WINDOWS\system32\drvsih.dll
C:\WINDOWS\hmzotada.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\evvr.exe
C:\WINDOWS\fonetgti.exe
C:\dcmqd.exe
C:\WINDOWS\system32\apiuser32.dll
C:\cjbnqf.exe
C:\WINDOWS\zijolelc.dll
C:\dcmqd.exe

Folder::
C:\Program Files\DNA
C:\Documents and Settings\owner\Application Data\DNA

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [drmsrv32] C:\dcmqd.exe
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvsih.dll,startup
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvnuc.dll,startup

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\apiuser32.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


Repeat that for this file

C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll


Reboot and post a new HijackThis log

[Kohkane]

Hey, Thanks a lot!

C:\WINDOWS\system32\apiuser32.dll isnt there. And neither is C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll


heres Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:33 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?434c099082c649299522546f90588202
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?434c099082c649299522546f90588202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll (file missing)
O21 - SSODL: zip - {92df37c5-78ce-431e-9de5-37f677a7cc09} - C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

--
End of file - 6551 bytes

[Rorschach112]

Do this

Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.



Then try scan those two files again


Also post the ComboFix log

[Kohkane]

I did the file viewing steps and C:\WINDOWS\system32\apiuser32.dll still isn't there.

I got C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll though. Here are the results:

AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.05 HEUR/Malware
Authentium 4.93.8 2008.02.05 -
Avast 4.7.1098.0 2008.02.05 -
AVG 7.5.0.516 2008.02.05 -
BitDefender 7.2 2008.02.05 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.05 -
DrWeb 4.44.0.09170 2008.02.05 -
eSafe 7.0.15.0 2008.01.28 Suspicious File
eTrust-Vet 31.3.5512 2008.02.05 -
Ewido 4.0 2008.02.05 -
FileAdvisor 1 2008.02.05 -
Fortinet 3.14.0.0 2008.02.05 -
F-Prot 4.4.2.54 2008.02.05 -
F-Secure 6.70.13260.0 2008.02.05 -
Ikarus T3.1.1.20 2008.02.05 Trojan-Clicker.Win32.Small.BG
Kaspersky 7.0.0.125 2008.02.05 -
McAfee 5223 2008.02.05 -
Microsoft 1.3204 2008.02.05 -
NOD32v2 2851 2008.02.05 -
Norman 5.80.02 2008.02.05 -
Panda 9.0.0.4 2008.02.05 Suspicious file
Prevx1 V2 2008.02.05 E404Bho:Adware-b
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.05 -
Sunbelt 2.2.907.0 2008.02.05 VIPRE.Suspicious
Symantec 10 2008.02.05 -
TheHacker 6.2.9.209 2008.02.05 -
VBA32 3.12.6.0 2008.02.05 -
VirusBuster 4.3.26:9 2008.02.05 -
Webwasher-Gateway 6.6.2 2008.02.05 Heuristic.Malware
Additional information
File size: 38950 bytes
MD5: d19505c73c72614fa7849926b7262791
SHA1: 490b9c879eb14e8fdcee8b15508b216a092b6d16
PEiD: PECompact 2.xx --> BitSum Technologies
packers: PecBundle, PECompact
packers: PE_Patch.PECompact, PecBundle, PECompact
Prevx info: http://info.prevx.co...86D78008E219ADE
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.









Heres that ComboFix log:

ComboFix 08-02.02.5 - owner 2008-02-04 20:58:40.7 - NTFSx86
Running from: C:\Documents and Settings\owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\owner\Application Data\printer.exe
C:\Documents and Settings\owner\Application Data\ultra
C:\Documents and Settings\owner\Application Data\ultra\uninstall.bat
C:\Documents and Settings\owner\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\SystemDefender
C:\Program Files\ucleaner_setup.exe
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\mcrupdate.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\wowfx.dll . . . . failed to delete
C:\WINDOWS\system32\xlibgfl254.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 20:25 . 2008-02-04 20:25 <DIR> d-------- C:\Documents and Settings\owner\Application Data\EasySpywareCleaner.com
2008-02-04 20:24 . 2008-02-04 20:24 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-02-04 20:22 . 2005-06-10 08:46 98,709 --a------ C:\Documents and Settings\owner\Application Data\sysdefender.exe
2008-02-04 19:57 . 2005-06-11 14:24 18,944 --a------ C:\WINDOWS\system32\wowfx.dll
2008-02-04 19:52 . 2008-02-04 19:52 98,709 --a------ C:\Program Files\udefender_setup.exe
2008-02-04 19:42 . 2008-02-04 19:42 18,432 --a------ C:\Program Files\tmp48623218.exe
2008-02-03 17:31 . 2008-02-03 17:31 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-03 11:55 . 2008-02-03 11:56 <DIR> d-------- C:\Program Files\LHClass
2008-02-03 11:55 . 2008-02-03 11:55 294,912 --------- C:\WINDOWS\Setup1.exe
2008-02-03 11:54 . 2008-02-03 11:54 80,384 --a------ C:\WINDOWS\ST6UNST.EXE
2008-02-03 10:52 . 2008-02-03 10:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 19:20 . 2008-02-02 19:20 <DIR> d-------- C:\Documents and Settings\owner\Application Data\Grisoft
2008-02-02 19:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 13:47 . 2008-02-02 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 12:39 . 2008-02-02 12:39 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 10:57 . 2008-02-02 10:58 <DIR> d-------- C:\WINDOWS\lputphoh
2008-02-02 10:57 . 2008-02-02 10:59 3,014,634 --a------ C:\WINDOWS\G1RbbvgFOT.exe.bak
2008-02-02 10:57 . 2008-02-02 10:57 54,764 --a------ C:\WINDOWS\system32\fnhoje
2008-02-02 10:57 . 2008-02-02 10:57 2 --a------ C:\2029340009
2008-02-02 10:57 . 2008-02-03 14:32 0 --a------ C:\reg.reg
2008-02-02 09:11 . 2008-02-02 15:56 <DIR> d-------- C:\Program Files\Steam
2008-01-23 14:57 . 2008-01-28 17:07 <DIR> d-------- C:\Program Files\PartyGaming.Net

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 02:02 --------- d-----w C:\Documents and Settings\owner\Application Data\BitTorrent
2008-02-03 22:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-02 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-16 04:01 --------- d-----w C:\Program Files\New Folder
2008-01-09 04:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-02 23:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-01 21:30 --------- d-----w C:\Program Files\BitTorrent
2007-12-30 00:14 --------- d-----w C:\Program Files\eFax Messenger 4.3
2007-12-30 00:14 --------- d-----w C:\Documents and Settings\owner\Application Data\eFax Messenger
2007-12-30 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2007-12-20 01:47 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-20 01:47 --------- d-----w C:\Program Files\DivX
2007-12-07 00:59 --------- d-----w C:\Program Files\CCP
2007-09-25 22:22 19,952 -c--a-w C:\Documents and Settings\owner\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 19:00 49,152 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-04-11 18:50 958464]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 22528]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2008-02-01 18:45 587568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 40960]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 163840]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1634304 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 294912]
"iTunesHelper"="F:\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 123392]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-11-30 17:46:34 263168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-12-29 19:12:44 636416]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
REALTEK RTL8185 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe [2007-08-17 17:19:00 741376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BurnWin"= {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll [ ]
"zip"= {92df37c5-78ce-431e-9de5-37f677a7cc09} - C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll [2008-02-02 13:02 38950]

R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 08:57]

*Newly Created Service* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 02:01:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-05 01:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 21:06:27
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\calc.exe
.
**************************************************************************
.
Completion time: 2008-02-04 21:12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 02:12:29
ComboFix2.txt 2008-02-03 19:36:36
ComboFix3.txt 2008-02-03 18:18:32
ComboFix4.txt 2008-02-03 06:00:22
ComboFix5.txt 2008-02-03 00:18:28
.
2008-01-09 05:04:58 --- E O F ---




It was fine for a long time, then the cursed pop ups came back!

Edited by Kohkane, 05 February 2008 - 04:49 PM.

[Rorschach112]

Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll"
• Put a link to this topic in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
  
  
  • C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll
  
  
• Click Open.
• Click Post.

Thank you!



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll
C:\WINDOWS\system32\apiuser32.dll
C:\Documents and Settings\owner\Application Data\sysdefender.exe
C:\WINDOWS\system32\wowfx.dll
C:\Program Files\udefender_setup.exe
C:\Program Files\tmp48623218.exe
C:\WINDOWS\G1RbbvgFOT.exe.bak
C:\reg.reg

Folder::
C:\WINDOWS\system32\fnhoje
C:\2029340009
C:\Documents and Settings\owner\Application Data\EasySpywareCleaner.com
C:\Program Files\EasySpywareCleaner

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log

[Kohkane]

Ok, done!

Heres the ComboFix log:

ComboFix 08-02.02.5 - owner 2008-02-06 15:58:52.8 - NTFSx86
Running from: C:\Documents and Settings\owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\owner\Application Data\sysdefender.exe
C:\Program Files\tmp48623218.exe
C:\Program Files\udefender_setup.exe
C:\reg.reg
C:\WINDOWS\G1RbbvgFOT.exe.bak
C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll
C:\WINDOWS\system32\apiuser32.dll
C:\WINDOWS\system32\wowfx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\2029340009\
C:\Documents and Settings\owner\Application Data\EasySpywareCleaner.com
C:\Documents and Settings\owner\Application Data\sysdefender.exe
C:\Program Files\EasySpywareCleaner
C:\Program Files\EasySpywareCleaner\defs.pkg
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe.local
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe.log
C:\Program Files\EasySpywareCleaner\Kernel.dll
C:\Program Files\EasySpywareCleaner\msvcp71.dll
C:\Program Files\EasySpywareCleaner\msvcr71.dll
C:\Program Files\EasySpywareCleaner\Resources.dll
C:\Program Files\EasySpywareCleaner\Uninstall.exe
C:\Program Files\EasySpywareCleaner\WndLayer.dll
C:\Program Files\tmp48623218.exe
C:\Program Files\udefender_setup.exe
C:\reg.reg
C:\WINDOWS\G1RbbvgFOT.exe.bak
C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll
C:\WINDOWS\system32\fnhoje\
C:\WINDOWS\system32\wowfx.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-03 17:31 . 2008-02-03 17:31 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-03 11:55 . 2008-02-03 11:56 <DIR> d-------- C:\Program Files\LHClass
2008-02-03 11:55 . 2008-02-03 11:55 294,912 --------- C:\WINDOWS\Setup1.exe
2008-02-03 11:54 . 2008-02-03 11:54 80,384 --a------ C:\WINDOWS\ST6UNST.EXE
2008-02-03 10:52 . 2008-02-03 10:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 19:20 . 2008-02-02 19:20 <DIR> d-------- C:\Documents and Settings\owner\Application Data\Grisoft
2008-02-02 19:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 13:47 . 2008-02-02 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 12:39 . 2008-02-02 12:39 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 10:57 . 2008-02-02 10:58 <DIR> d-------- C:\WINDOWS\lputphoh
2008-02-02 10:57 . 2008-02-02 10:57 54,764 --a------ C:\WINDOWS\system32\fnhoje
2008-02-02 10:57 . 2008-02-02 10:57 2 --a------ C:\2029340009
2008-02-02 09:11 . 2008-02-02 15:56 <DIR> d-------- C:\Program Files\Steam
2008-01-23 14:57 . 2008-01-28 17:07 <DIR> d-------- C:\Program Files\PartyGaming.Net

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 20:55 --------- d-----w C:\Documents and Settings\owner\Application Data\BitTorrent
2008-02-03 22:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-03 22:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-02 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-16 04:01 --------- d-----w C:\Program Files\New Folder
2008-01-09 04:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-02 23:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-01 21:30 --------- d-----w C:\Program Files\BitTorrent
2007-12-30 00:14 --------- d-----w C:\Program Files\eFax Messenger 4.3
2007-12-30 00:14 --------- d-----w C:\Documents and Settings\owner\Application Data\eFax Messenger
2007-12-30 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2007-12-20 01:47 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-20 01:47 --------- d-----w C:\Program Files\DivX
2007-12-07 00:59 --------- d-----w C:\Program Files\CCP
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-09-25 22:22 19,952 -c--a-w C:\Documents and Settings\owner\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 19:00 49,152 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-04-11 18:50 958464]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 22528]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2008-02-01 18:45 587568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 40960]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 163840]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1634304 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 294912]
"iTunesHelper"="F:\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 123392]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-11-30 17:46:34 263168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-12-29 19:12:44 636416]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
REALTEK RTL8185 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe [2007-08-17 17:19:00 741376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BurnWin"= {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll [ ]
"zip"= {92df37c5-78ce-431e-9de5-37f677a7cc09} - C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll [ ]

R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 08:57]

*Newly Created Service* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 02:01:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-06 20:05:14 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 16:02:40
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 16:04:02
ComboFix-quarantined-files.txt 2008-02-06 21:03:33
ComboFix2.txt 2008-02-05 02:12:37
ComboFix3.txt 2008-02-03 19:36:36
ComboFix4.txt 2008-02-03 18:18:32
ComboFix5.txt 2008-02-03 06:00:22
.
2008-01-09 05:04:58 --- E O F ---


Heres the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:34 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?434c099082c649299522546f90588202
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?434c099082c649299522546f90588202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll (file missing)
O21 - SSODL: zip - {92df37c5-78ce-431e-9de5-37f677a7cc09} - C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6540 bytes



I still can't find C:\WINDOWS\system32\apiuser32.dll even after adjusting my file viewing options.

[Rorschach112]

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll (file missing)
O21 - SSODL: zip - {92df37c5-78ce-431e-9de5-37f677a7cc09} - C:\WINDOWS\Installer\{92df37c5-78ce-431e-9de5-37f677a7cc09}\zip.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\lputphoh
C:\WINDOWS\system32\fnhoje
C:\2029340009

Folder::
C:\WINDOWS\lputphoh
C:\WINDOWS\system32\fnhoje
C:\2029340009

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log

[Kohkane]

Here you go!

COMBOFIX:

ComboFix 08-02.02.5 - owner 2008-02-07 16:00:31.9 - NTFSx86
Running from: C:\Documents and Settings\owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\2029340009
C:\WINDOWS\lputphoh
C:\WINDOWS\system32\fnhoje
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fnhoje
C:\2029340009
C:\2029340009\
C:\WINDOWS\lputphoh
C:\WINDOWS\lputphoh\1.png
C:\WINDOWS\lputphoh\2.png
C:\WINDOWS\lputphoh\3.png
C:\WINDOWS\lputphoh\4.png
C:\WINDOWS\lputphoh\5.png
C:\WINDOWS\lputphoh\6.png
C:\WINDOWS\lputphoh\7.png
C:\WINDOWS\lputphoh\8.png
C:\WINDOWS\lputphoh\9.png
C:\WINDOWS\lputphoh\bottom-rc.gif
C:\WINDOWS\lputphoh\config.png
C:\WINDOWS\lputphoh\content.png
C:\WINDOWS\lputphoh\download.gif
C:\WINDOWS\lputphoh\frame-bg.gif
C:\WINDOWS\lputphoh\frame-bottom-left.gif
C:\WINDOWS\lputphoh\frame-h1bg.gif
C:\WINDOWS\lputphoh\head.png
C:\WINDOWS\lputphoh\icon.png
C:\WINDOWS\lputphoh\indexwp.html
C:\WINDOWS\lputphoh\main.css
C:\WINDOWS\lputphoh\memory-prots.png
C:\WINDOWS\lputphoh\net.png
C:\WINDOWS\lputphoh\pc-mag.gif
C:\WINDOWS\lputphoh\pc.gif
C:\WINDOWS\lputphoh\poloska1.png
C:\WINDOWS\lputphoh\poloska2.png
C:\WINDOWS\lputphoh\poloska3.png
C:\WINDOWS\lputphoh\promowp1.html
C:\WINDOWS\lputphoh\promowp2.html
C:\WINDOWS\lputphoh\promowp3.html
C:\WINDOWS\lputphoh\promowp4.html
C:\WINDOWS\lputphoh\promowp5.html
C:\WINDOWS\lputphoh\reg.png
C:\WINDOWS\lputphoh\repair.png
C:\WINDOWS\lputphoh\start.png
C:\WINDOWS\lputphoh\styles.css
C:\WINDOWS\lputphoh\Thumbs.db
C:\WINDOWS\lputphoh\top-rc.gif
C:\WINDOWS\lputphoh\vline.gif
C:\WINDOWS\lputphoh\wp.png
C:\WINDOWS\system32\fnhoje
C:\WINDOWS\system32\fnhoje\

.
((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-03 17:31 . 2008-02-03 17:31 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-03 11:55 . 2008-02-03 11:56 <DIR> d-------- C:\Program Files\LHClass
2008-02-03 11:55 . 2008-02-03 11:55 294,912 --------- C:\WINDOWS\Setup1.exe
2008-02-03 11:54 . 2008-02-03 11:54 80,384 --a------ C:\WINDOWS\ST6UNST.EXE
2008-02-03 10:52 . 2008-02-03 10:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 19:20 . 2008-02-02 19:20 <DIR> d-------- C:\Documents and Settings\owner\Application Data\Grisoft
2008-02-02 19:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 13:47 . 2008-02-02 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 12:39 . 2008-02-02 12:39 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-02 09:11 . 2008-02-02 15:56 <DIR> d-------- C:\Program Files\Steam
2008-01-23 14:57 . 2008-01-28 17:07 <DIR> d-------- C:\Program Files\PartyGaming.Net

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 20:47 --------- d-----w C:\Documents and Settings\owner\Application Data\BitTorrent
2008-02-03 22:32 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-02 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-16 04:01 --------- d-----w C:\Program Files\New Folder
2008-01-09 04:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-02 23:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-01 21:30 --------- d-----w C:\Program Files\BitTorrent
2007-12-30 00:14 --------- d-----w C:\Program Files\eFax Messenger 4.3
2007-12-30 00:14 --------- d-----w C:\Documents and Settings\owner\Application Data\eFax Messenger
2007-12-30 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2007-12-20 01:47 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-20 01:47 --------- d-----w C:\Program Files\DivX
2007-12-07 00:59 --------- d-----w C:\Program Files\CCP
2007-09-25 22:22 19,952 -c--a-w C:\Documents and Settings\owner\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 19:00 49,152 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-04-11 18:50 958464]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 22528]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2008-02-01 18:45 587568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 40960]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 163840]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1634304 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 294912]
"iTunesHelper"="F:\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 123392]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-11-30 17:46:34 263168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-12-29 19:12:44 636416]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
REALTEK RTL8185 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe [2007-08-17 17:19:00 741376]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 08:57]
S1 fnhoje;fnhoje;C:\WINDOWS\system32\fnhoje []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 02:01:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-07 20:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 16:09:37
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-07 16:14:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 21:14:46
ComboFix2.txt 2008-02-06 21:04:03
ComboFix3.txt 2008-02-05 02:12:37
ComboFix4.txt 2008-02-03 19:36:36
ComboFix5.txt 2008-02-03 18:18:32
.
2008-01-09 05:04:58 --- E O F ---





HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:59 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?434c099082c649299522546f90588202
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?434c099082c649299522546f90588202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6237 bytes

[Rorschach112]

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
fnhoje

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Also tell me how your PC is running

[Rorschach112]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.