Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

PC hijacked by Antispywareupdate.net [RESOLVED]

Started by eyz , Feb 25 2008 02:32 PM

This topic is locked

#1
eyz

Posted 25 February 2008 - 02:32 PM

Member

Member
14 posts

My WinXP is infected by antispywareupdate.net.

I followed some guide to do a manual fix using Smitfraudfix and hijackthis, however to no avail. The particular file/link that I need to check on the hijackthis was not available.

I had also used LavaSoft Ad-Aware and AVG Anti-Spyware 7.5, they are of not much help either.

I read from some of the successful case on some thread that the malware/spyware can be removed and hope that someone would be kind enough to help me with this.

Thanks in advance.

My scan reports are as follow:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:41:42 AM 26/02/2008

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208} -> Adware.Accoona : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4} -> Adware.ActivShopper : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456} -> Adware.Generic : Cleaned.
C:\Program Files\p2pnetworks -> Adware.MediaPipe : Cleaned.
C:\Program Files\p2pnetworks\amp2pl.exe -> Adware.MediaPipe : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.29:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.230:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.231:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.232:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.128:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.83:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.84:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.85:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.255:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.256:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\[email protected][1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.75:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.76:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.165:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\[email protected][1].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.88:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.89:C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\~eyz~\Cookies\~eyz~@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

Edited by eyz, 25 February 2008 - 04:55 PM.

#2
eyz

Posted 25 February 2008 - 04:56 PM

Member

Topic Starter
Member
14 posts

----------------------------------------------------------------
Activescan
----------------------------------------------------------------

Incident Status Location

Adware:adware/eshopper Not disinfected c:\windows\system32\ESHOPEE.exe

Adware:adware/popuper Not disinfected c:\windows\system32\msole32.exe

Potentially unwanted tool:application/activitymon Not disinfected c:\program files\amsys

Adware:adware/activshopper Not disinfected c:\program files\e-zshopper

Adware:adware/adbars Not disinfected Windows Registry

Dialer:dialer.xd Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}

Adware:adware/activesearch Not disinfected Windows Registry

Adware:adware/deskwizz Not disinfected Windows Registry

Adware:adware/404search Not disinfected Windows Registry

Adware:adware/adblaster Not disinfected Windows Registry

Adware:adware/adsincontext Not disinfected Windows Registry

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe

Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe

Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\restart.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]

Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]

Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe]

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt[.xiti.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cookies.txt[.atwola.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\~eyz~\Cookies\~eyz~@atwola[1].txt

Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\~eyz~\Cookies\~eyz~@azjmp[2].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\~eyz~\Cookies\~eyz~@go[1].txt

Possible Virus. Not disinfected C:\WINDOWS\dcnwpwby.exe
Possible Virus. Not disinfected C:\WINDOWS\ihafozcr.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Sorry, I do not know how to make it easy to be view.

Edited by eyz, 25 February 2008 - 05:01 PM.

#3
eyz

Posted 25 February 2008 - 04:59 PM

Member

Topic Starter
Member
14 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:50 AM, on 26/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91f06ff2-1dd2-11b2-9eaf-ad2f1bed6684} - C:\WINDOWS\lobanqlo.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [twnaryrg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\twnaryrg.dll"
O4 - HKLM\..\Run: [dcvqlwzo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\dcvqlwzo.dll"
O4 - HKLM\..\Run: [fuzaxkzy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fuzaxkzy.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKLM\..\Policies\Explorer\Run: [SehW5eOwq9] rundll32.exe "C:\WINDOWS\hgfybeve.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Tencent QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQìÅ²Ê¹¤¾ßÌõÉèÖÃ - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchin...oad/CMBEdit.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.c...101/aliedit.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A998475-76EC-419C-B469-65E660D48102}: NameServer = 202.156.1.38,202.156.1.68,202.156.1.48
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 14094 bytes

#4
kahdah

Posted 25 February 2008 - 06:22 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello eyz

Welcome to G2Go.

=================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5
eyz

Posted 26 February 2008 - 12:31 AM

Member

Topic Starter
Member
14 posts

Hi Kahdah, I'm very thankful for the response. Really much appreciated.

Sorry for the late reply as my timezone is +0800 GMT.

Just a note, a spyware popup appears during the combo fix.

Also, I was not able to disable my Norton Anti Viru when I am running combofix.

I can't seem to find the disable button and my task manager was disabled by the spyware.

Anyway, the log requested are as follow:

-----------------------------------------------------------------------------------------------

ComboFix 08-02-25.3 - ~eyz~ 2008-02-26 14:21:25.1 - NTFSx86
Running from: C:\Documents and Settings\~eyz~\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\dcvqlwzo.dll
C:\Documents and Settings\All Users\Application Data.\fuzaxkzy.dll
C:\Documents and Settings\All Users\Application Data.\twnaryrg.dll
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\gjorsjov.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\lobanqlo.dll
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\SehW5eOwq9wp.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\wzszuvqj.dll
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 06:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-26 05:50 . 2008-02-26 06:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-26 05:50 . 2008-02-26 05:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-26 05:50 . 2008-02-26 05:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-26 05:50 . 2008-02-26 05:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-26 04:12 . 2008-02-26 04:12 <DIR> d-------- C:\Documents and Settings\~eyz~\Application Data\Grisoft
2008-02-26 03:41 . 2008-02-26 03:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-26 03:10 . 2008-02-26 04:05 4,768 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-26 03:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-26 03:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-26 03:09 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-26 03:09 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-26 03:09 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-26 03:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-26 03:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-26 03:08 . 2008-02-26 03:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-26 03:08 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 03:07 . 2008-02-26 03:07 <DIR> d-------- C:\Program Files\CCleaner
2008-02-26 02:03 . 2008-02-26 02:03 <DIR> d-------- C:\WINDOWS\mfjcdjjp
2008-02-26 02:03 . 2008-02-26 02:03 190,464 --a------ C:\WINDOWS\mlshalsx.dll
2008-02-26 02:03 . 2008-02-26 02:03 190,464 --a------ C:\WINDOWS\hgfybeve.dll
2008-02-26 02:03 . 2008-02-26 02:03 89,107 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-02-26 02:03 . 2008-02-26 02:03 89,107 --a------ C:\WINDOWS\qtkjmtmh.exe
2008-02-26 02:03 . 2008-02-26 02:03 89,107 --a------ C:\WINDOWS\adkbghkt.exe
2008-02-26 02:03 . 2008-02-26 02:03 39,936 --a------ C:\WINDOWS\ihafozcr.exe
2008-02-26 02:03 . 2008-02-26 02:03 39,936 --a------ C:\WINDOWS\dcnwpwby.exe
2008-02-26 00:37 . 2008-02-26 00:42 4,914,268 --a------ C:\temp\FreeYouTubeToMP3Converter.exe
2008-02-26 00:35 . 2008-02-26 01:06 <DIR> d-------- C:\DVDVideoSoft
2008-02-26 00:28 . 2008-02-26 00:33 4,908,759 --a------ C:\temp\FreeYouTubeToiPhoneConverter.exe
2008-02-22 19:12 . 2008-02-22 19:12 <DIR> d-------- C:\Program Files\TightVNC
2008-02-19 12:22 . 2008-02-19 12:23 7,205,939 --a------ C:\temp\FreeVideoToiPhoneConverter.exe
2008-02-19 12:16 . 2008-02-26 01:45 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-02-19 12:16 . 2008-02-26 01:45 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-01-27 22:41 . 2008-01-27 22:41 <DIR> d-------- C:\Program Files\MSBuild
2008-01-27 22:37 . 2008-01-27 22:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-27 22:36 . 2008-01-27 22:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-27 22:35 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-27 22:35 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-27 22:31 . 2008-02-04 01:44 <DIR> d-------- C:\Program Files\touchFree

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 06:26 30,976 ----a-w C:\WINDOWS\kvnab$.exe
2008-02-26 06:26 30,720 ----a-w C:\WINDOWS\xadbrk_.exe
2008-02-26 06:26 29,184 ----a-w C:\WINDOWS\liqui.exe
2008-02-26 06:26 28,416 ----a-w C:\WINDOWS\eventlowg.dll
2008-02-26 06:26 24,320 ----a-w C:\WINDOWS\xadbrk.dll
2008-02-26 06:26 21,248 ----a-w C:\WINDOWS\liqui-Uninstaller.exe
2008-02-26 06:26 19,712 ----a-w C:\WINDOWS\kkcomp.exe
2008-02-26 06:26 17,408 ----a-w C:\WINDOWS\kvnab.dll
2008-02-26 06:26 15,872 ----a-w C:\WINDOWS\liqad.exe
2008-02-26 06:25 18,176 ----a-w C:\WINDOWS\764.exe
2008-02-26 00:04 6,029,312 ---ha-w C:\Documents and Settings\~eyz~\NTUSER.DAT
2008-02-25 22:25 --------- d-----w C:\Program Files\Norton SystemWorks Premier
2008-02-25 22:25 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-25 22:25 --------- d-----w C:\Program Files\MSN Messenger
2008-02-25 22:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-25 22:23 --------- d-----w C:\Program Files\iTunes
2008-02-25 22:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-25 20:12 --------- d-----w C:\Documents and Settings\~eyz~\Application Data\Grisoft
2008-02-19 08:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 08:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-13 13:56 --------- d-----w C:\Program Files\BitComet
2008-02-01 13:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-15 01:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-14 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 10:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-11 18:55 --------- d-----w C:\Program Files\Fugu-1.1.8
2008-01-11 18:54 --------- d-----w C:\Program Files\Python21
2008-01-11 16:56 --------- d-----w C:\Program Files\WinSCP
.

------- Sigcheck -------

4761e71fbea4f96ebaed6fbab53754c2 C:\WINDOWS\system32\drivers\tcpip.sys
-c--a-w 359,040 2007-09-01 16:39:30 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 359,040 2007-09-01 16:39:30 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2007-07-19 15:28 6150456]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2001-10-08 12:59 45632]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 18:06 3144800]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-28 14:38 107112]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 10:22 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:56 15360]

C:\Documents and Settings\~eyz~\Start Menu\Programs\Startup\
Tencent QQ.lnk - C:\Program Files\Tencent\QQ\QQ.exe [2007-06-27 14:12:59 1208320]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"SehW5eOwq9"= rundll32.exe "C:\WINDOWS\hgfybeve.dll",DllCleanServer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"46464:TCP"= 46464:TCP:BitComet 46464 TCP
"46464:UDP"= 46464:UDP:BitComet 46464 UDP

R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
R3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2006-10-10 21:17]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-11-04 10:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 12:47:29 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - ~eyz~.job"
- C:\PROGRA~1\NORTON~2\Navw32.exeh/TASK:
"2007-12-17 04:07:18 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 14:27:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 14:28:24
ComboFix-quarantined-files.txt 2008-02-26 06:28:20

Edited by eyz, 26 February 2008 - 02:23 AM.

#6
eyz

Posted 26 February 2008 - 12:33 AM

Member

Topic Starter
Member
14 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:38 PM, on 26/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKLM\..\Policies\Explorer\Run: [SehW5eOwq9] rundll32.exe "C:\WINDOWS\hgfybeve.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Tencent QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchin...oad/CMBEdit.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.c...101/aliedit.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A998475-76EC-419C-B469-65E660D48102}: NameServer = 202.156.1.38,202.156.1.68,202.156.1.48
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 12724 bytes

#7
eyz

Posted 26 February 2008 - 02:40 AM

Member

Topic Starter
Member
14 posts

I managed to disable my Norton Anti Virus and it's add on, and did another round of combofix on it.

Here's the log.

ComboFix 08-02-25.3 - ~eyz~ 2008-02-26 16:27:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT 8:00]
Running from: C:\Documents and Settings\~eyz~\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\SehW5eOwq9wp.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 16:32 . 2008-02-26 16:32 1,864 --a------ C:\WINDOWS\default.htm
2008-02-26 16:18 . 2008-02-26 16:19 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-26 06:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-26 05:50 . 2008-02-26 06:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-26 05:50 . 2008-02-26 05:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-26 05:50 . 2008-02-26 05:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-26 05:50 . 2008-02-26 05:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-26 04:12 . 2008-02-26 04:12 <DIR> d-------- C:\Documents and Settings\~eyz~\Application Data\Grisoft
2008-02-26 03:41 . 2008-02-26 03:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-26 03:10 . 2008-02-26 04:05 4,768 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-26 03:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-26 03:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-26 03:09 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-26 03:09 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-26 03:09 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-26 03:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-26 03:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-26 03:08 . 2008-02-26 03:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-26 03:08 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 03:07 . 2008-02-26 03:07 <DIR> d-------- C:\Program Files\CCleaner
2008-02-26 02:03 . 2008-02-26 02:03 <DIR> d-------- C:\WINDOWS\mfjcdjjp
2008-02-26 02:03 . 2008-02-26 02:03 190,464 --a------ C:\WINDOWS\mlshalsx.dll
2008-02-26 02:03 . 2008-02-26 02:03 190,464 --a------ C:\WINDOWS\hgfybeve.dll
2008-02-26 02:03 . 2008-02-26 02:03 89,107 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-02-26 02:03 . 2008-02-26 02:03 89,107 --a------ C:\WINDOWS\qtkjmtmh.exe
2008-02-26 02:03 . 2008-02-26 02:03 89,107 --a------ C:\WINDOWS\adkbghkt.exe
2008-02-26 02:03 . 2008-02-26 02:03 39,936 --a------ C:\WINDOWS\ihafozcr.exe
2008-02-26 02:03 . 2008-02-26 02:03 39,936 --a------ C:\WINDOWS\dcnwpwby.exe
2008-02-26 00:37 . 2008-02-26 00:42 4,914,268 --a------ C:\temp\FreeYouTubeToMP3Converter.exe
2008-02-26 00:35 . 2008-02-26 01:06 <DIR> d-------- C:\DVDVideoSoft
2008-02-26 00:28 . 2008-02-26 00:33 4,908,759 --a------ C:\temp\FreeYouTubeToiPhoneConverter.exe
2008-02-22 19:12 . 2008-02-22 19:12 <DIR> d-------- C:\Program Files\TightVNC
2008-02-19 12:22 . 2008-02-19 12:23 7,205,939 --a------ C:\temp\FreeVideoToiPhoneConverter.exe
2008-02-19 12:16 . 2008-02-26 01:45 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-02-19 12:16 . 2008-02-26 01:45 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-01-27 22:41 . 2008-01-27 22:41 <DIR> d-------- C:\Program Files\MSBuild
2008-01-27 22:37 . 2008-01-27 22:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-27 22:36 . 2008-01-27 22:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-27 22:35 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-27 22:35 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-27 22:31 . 2008-02-04 01:44 <DIR> d-------- C:\Program Files\touchFree

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 08:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-26 07:32 6,029,312 ---ha-w C:\Documents and Settings\~eyz~\NTUSER.DAT
2008-02-25 22:25 --------- d-----w C:\Program Files\Norton SystemWorks Premier
2008-02-25 22:25 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-25 22:25 --------- d-----w C:\Program Files\MSN Messenger
2008-02-25 22:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-25 22:23 --------- d-----w C:\Program Files\iTunes
2008-02-25 20:12 --------- d-----w C:\Documents and Settings\~eyz~\Application Data\Grisoft
2008-02-19 08:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 08:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-13 13:56 --------- d-----w C:\Program Files\BitComet
2008-02-01 13:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-15 01:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-14 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 10:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-11 18:55 --------- d-----w C:\Program Files\Fugu-1.1.8
2008-01-11 18:54 --------- d-----w C:\Program Files\Python21
2008-01-11 16:56 --------- d-----w C:\Program Files\WinSCP
.

------- Sigcheck -------

4761e71fbea4f96ebaed6fbab53754c2 C:\WINDOWS\system32\drivers\tcpip.sys
-c--a-w 359,040 2007-09-01 16:39:30 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 359,040 2007-09-01 16:39:30 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2007-07-19 15:28 6150456]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2001-10-08 12:59 45632]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 18:06 3144800]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-28 14:38 107112]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 10:22 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:56 15360]

C:\Documents and Settings\~eyz~\Start Menu\Programs\Startup\
Tencent QQ.lnk - C:\Program Files\Tencent\QQ\QQ.exe [2007-06-27 14:12:59 1208320]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"SehW5eOwq9"= rundll32.exe "C:\WINDOWS\hgfybeve.dll",DllCleanServer

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"46464:TCP"= 46464:TCP:BitComet 46464 TCP
"46464:UDP"= 46464:UDP:BitComet 46464 UDP

R3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2006-10-10 21:17]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-11-04 10:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 12:47:29 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - ~eyz~.job"
- C:\PROGRA~1\NORTON~2\Navw32.exeh/TASK:
"2007-12-17 04:07:18 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 16:32:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 16:33:30
ComboFix-quarantined-files.txt 2008-02-26 08:33:19
ComboFix2.txt 2008-02-26 06:28:26

#8
kahdah

Posted 26 February 2008 - 03:03 AM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\dcnwpwby.exe
C:\WINDOWS\ihafozcr.exe
C:\WINDOWS\adkbghkt.exe
C:\WINDOWS\qtkjmtmh.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\hgfybeve.dll
C:\WINDOWS\mlshalsx.dll
C:\WINDOWS\mfjcdjjp
C:\WINDOWS\hgfybeve.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"SehW5eOwq9"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#9
eyz

Posted 26 February 2008 - 03:43 AM

Member

Topic Starter
Member
14 posts

Hi Kahdah,

My windows just stays there without any icons on my desktop after the combofix is done. And I had to do a on/off on my CPU in order to get it back working.

After this round of combofix, I do not encounter any more of the antispywareupdates.net on my wallpaper or any prompt from the taskbar and am able to bring out my task manager. ^_^

Please advise from here. Really thank you for your time.

Here are the logs as requested

ComboFix 08-02-25.3 - ~eyz~ 2008-02-26 17:10:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.235 [GMT 8:00]
Running from: C:\Documents and Settings\~eyz~\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\~eyz~\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\adkbghkt.exe
C:\WINDOWS\dcnwpwby.exe
C:\WINDOWS\hgfybeve.dll
C:\WINDOWS\ihafozcr.exe
C:\WINDOWS\mfjcdjjp
C:\WINDOWS\mlshalsx.dll
C:\WINDOWS\qtkjmtmh.exe
C:\WINDOWS\system32\mgmrwmrv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\adkbghkt.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dcnwpwby.exe
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hgfybeve.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\ihafozcr.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\mlshalsx.dll
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\SehW5eOwq9wp.exe
C:\WINDOWS\qtkjmtmh.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-26 16:42 . 2008-02-26 16:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-26 16:42 . 2008-02-26 16:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-26 06:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-26 05:50 . 2008-02-26 06:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-26 05:50 . 2008-02-26 05:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-26 05:50 . 2008-02-26 05:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-26 05:50 . 2008-02-26 05:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-26 04:12 . 2008-02-26 04:12 <DIR> d-------- C:\Documents and Settings\~eyz~\Application Data\Grisoft
2008-02-26 03:41 . 2008-02-26 03:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-26 03:10 . 2008-02-26 04:05 4,768 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-26 03:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-26 03:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-26 03:09 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-26 03:09 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-26 03:09 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-26 03:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-26 03:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-26 03:08 . 2008-02-26 03:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-26 03:08 . 2007-05-30 20:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 03:07 . 2008-02-26 03:07 <DIR> d-------- C:\Program Files\CCleaner
2008-02-26 02:03 . 2008-02-26 02:03 <DIR> d-------- C:\WINDOWS\mfjcdjjp
2008-02-26 00:37 . 2008-02-26 00:42 4,914,268 --a------ C:\temp\FreeYouTubeToMP3Converter.exe
2008-02-26 00:35 . 2008-02-26 01:06 <DIR> d-------- C:\DVDVideoSoft
2008-02-26 00:28 . 2008-02-26 00:33 4,908,759 --a------ C:\temp\FreeYouTubeToiPhoneConverter.exe
2008-02-22 19:12 . 2008-02-22 19:12 <DIR> d-------- C:\Program Files\TightVNC
2008-02-19 12:22 . 2008-02-19 12:23 7,205,939 --a------ C:\temp\FreeVideoToiPhoneConverter.exe
2008-02-19 12:16 . 2008-02-26 01:45 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-02-19 12:16 . 2008-02-26 01:45 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-01-27 22:41 . 2008-01-27 22:41 <DIR> d-------- C:\Program Files\MSBuild
2008-01-27 22:37 . 2008-01-27 22:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-27 22:36 . 2008-01-27 22:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-27 22:35 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-27 22:35 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-27 22:31 . 2008-02-04 01:44 <DIR> d-------- C:\Program Files\touchFree

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 08:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-26 07:32 6,029,312 ---ha-w C:\Documents and Settings\~eyz~\NTUSER.DAT
2008-02-25 22:25 --------- d-----w C:\Program Files\Norton SystemWorks Premier
2008-02-25 22:25 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-25 22:25 --------- d-----w C:\Program Files\MSN Messenger
2008-02-25 22:24 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-25 22:23 --------- d-----w C:\Program Files\iTunes
2008-02-25 20:12 --------- d-----w C:\Documents and Settings\~eyz~\Application Data\Grisoft
2008-02-19 08:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 08:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-13 13:56 --------- d-----w C:\Program Files\BitComet
2008-02-01 13:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-15 01:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-14 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 10:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-11 18:55 --------- d-----w C:\Program Files\Fugu-1.1.8
2008-01-11 18:54 --------- d-----w C:\Program Files\Python21
2008-01-11 16:56 --------- d-----w C:\Program Files\WinSCP
.

------- Sigcheck -------

4761e71fbea4f96ebaed6fbab53754c2 C:\WINDOWS\system32\drivers\tcpip.sys
-c--a-w 359,040 2007-09-01 16:39:30 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 359,040 2007-09-01 16:39:30 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2007-07-19 15:28 6150456]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 18:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2001-10-08 12:59 45632]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 18:06 3144800]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-28 14:38 107112]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 10:22 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:56 15360]

C:\Documents and Settings\~eyz~\Start Menu\Programs\Startup\
Tencent QQ.lnk - C:\Program Files\Tencent\QQ\QQ.exe [2007-06-27 14:12:59 1208320]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"46464:TCP"= 46464:TCP:BitComet 46464 TCP
"46464:UDP"= 46464:UDP:BitComet 46464 UDP

R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
R3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2006-10-10 21:17]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-11-04 10:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 12:47:29 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - ~eyz~.job"
- C:\PROGRA~1\NORTON~2\Navw32.exe
"2007-12-17 04:07:18 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 17:14:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 17:15:29
ComboFix-quarantined-files.txt 2008-02-26 09:15:18
ComboFix2.txt 2008-02-26 08:33:31
ComboFix3.txt 2008-02-26 06:28:26

Edited by eyz, 26 February 2008 - 03:56 AM.

#10
eyz

Posted 26 February 2008 - 03:43 AM

Member

Topic Starter
Member
14 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:57 PM, on 26/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Tencent QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://site.cmbchin...oad/CMBEdit.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) - https://img.alipay.c...101/aliedit.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A998475-76EC-419C-B469-65E660D48102}: NameServer = 202.156.1.38,202.156.1.68,202.156.1.48
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11028 bytes

#11
eyz

Posted 26 February 2008 - 05:20 AM

Member

Topic Starter
Member
14 posts

Hi Kahdah,

I did another ActiveScan on my PC and the following report was generated. Nothing was removed during the process.

Hope this helps.

Attached Files

Activescan.txt 12.94KB 149 downloads

Edited by eyz, 26 February 2008 - 05:22 AM.

#12
kahdah

Posted 26 February 2008 - 08:02 PM

GeekU Teacher

Retired Staff
15,822 posts

Those are cookies only and some components of the tools we use here.
Nothing to worry about.

=============================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
============================================================
Post the above log and then :
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#13
eyz

Posted 26 February 2008 - 10:40 PM

Member

Topic Starter
Member
14 posts

Hi Kahdah,

below are the log for Malwarebytes scan.

I am still doing the Kaspersky Online scan and it's taking quite a while to download the anti-virus database.

Malwarebytes' Anti-Malware 1.05
Database version: 414

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 85897
Time elapsed: 26 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by eyz, 26 February 2008 - 10:42 PM.

#14
eyz

Posted 27 February 2008 - 12:17 AM

Member

Topic Starter
Member
14 posts

Finally, the Kasperscan log,

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 27, 2008 2:18:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/02/2008
Kaspersky Anti-Virus database records: 582968
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 60723
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:24:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\8E7A5D93.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\B08CA192.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\~eyz~\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\cert8.db Object is locked skipped
C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\history.dat Object is locked skipped
C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\key3.db Object is locked skipped
C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\parent.lock Object is locked skipped
C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\search.sqlite Object is locked skipped
C:\Documents and Settings\~eyz~\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\~eyz~\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\~eyz~\Desktop\iphone\MISC\tightvnc-1.3.9-setup.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
C:\Documents and Settings\~eyz~\Desktop\iphone\MISC\tightvnc-1.3.9-setup.exe Inno: infected - 1 skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Application Data\Mozilla\Firefox\Profiles\cpm4ip0p.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\History\History.IE5\MSHist012008022720080228\index.dat Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Temp\~DF8F1B.tmp Object is locked skipped
C:\Documents and Settings\~eyz~\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\~eyz~\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\~eyz~\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{11A511AE-76AA-4B6A-BDAB-9741567621DE}\RP2\A0000019.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{11A511AE-76AA-4B6A-BDAB-9741567621DE}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3AA3AB12-6BAC-4093-8334-1303D86C058B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{11A511AE-76AA-4B6A-BDAB-9741567621DE}\RP5\change.log Object is locked skipped
D:\System Volume Information\_restore{64FE2F67-B39F-4FD0-9C5F-82001229F916}\RP33\A0014437.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\System Volume Information\_restore{64FE2F67-B39F-4FD0-9C5F-82001229F916}\RP33\A0014437.exe mIRC: infected - 1 skipped

Scan process completed.

#15
kahdah

Posted 27 February 2008 - 03:03 AM

GeekU Teacher

Retired Staff
15,822 posts

I see that you have BitComet installed.
Having P2p programs such as these raise the possibility of getting infected again.
See here for information on P2P's.
I will leave it up to you if you want to remove it.
To remove it just simply uninstall it then delete this folder>C:\Program Files\BitComet
=================================================
C:\Documents and Settings\~eyz~\Desktop\iphone\MISC\tightvnc-1.3.9-setup.exe
C:\Program Files\mIRC\mirc.exe
are false posistives.

We need to get rid of what the other scanner found though so please do the following:

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.

RGEDIT4

[-HKEY_CURRENT_USER\Software\xflock]

[-HKEY_CURRENT_USER\Software\PostInstallC]

Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.

Then please delete that after it merges.
=============================================================================
Also uninstall Malwarebytes antimalware.

then Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK

[list]

The above procedure will delete and do the following:

ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
=====================================================================
After that Your log is clean.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here