[waiwai]

Hi
I'm encountering lots of problem when I'm browsing on Internet Explorer right now and the WinReanimator is bothering me!! some softwares doesn't even run when I try to open them, such as VundoFix, HijackThis... any softwares that suppose to run to help removing the WinReanimator aren't working, only if I click "Run" instead of saving it to my computer when I download VundoFix and VBG... here are the logs that I'm able to post here


VundoFix V6.7.10

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:20:14 2/3/2008

Listing files found while scanning....

C:\WINDOWS\system32\winivstr.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\winivstr.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.10

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 18:50:56 2/3/2008

Listing files found while scanning....


VundoFix V6.7.10

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 19:18:50 2/3/2008

Listing files found while scanning....

C:\WINDOWS\system32\winivstr.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\winivstr.exe Has been deleted!

Performing Repairs to the registry.
Done!



[03/02/2008, 22:54:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Administrator\Desktop\VirtumundoBeGone.exe" )
[03/02/2008, 22:54:23] - Detected System Information:
[03/02/2008, 22:54:23] - Windows Version: 5.1.2600, Service Pack 2
[03/02/2008, 22:54:23] - Current Username: HP_Administrator (Admin)
[03/02/2008, 22:54:23] - Windows is in NORMAL mode.
[03/02/2008, 22:54:23] - Searching for Browser Helper Objects:
[03/02/2008, 22:54:23] - BHO 1: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[03/02/2008, 22:54:23] - Finished Searching Browser Helper Objects
[03/02/2008, 22:54:23] - Finishing up...
[03/02/2008, 22:54:23] - Nothing found! Exiting...

[Advertisements]

Hi waiwai,

Welcome to Geeks To Go,

I'm sorry that we haven't got to you until now, but the forum can get hectic at times.

I am sage5 and I will be helping you with this problem.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouse click combo-fix's window while it's running. That may cause it to stall**


Cheers,

sage5

[sage5]

Hi waiwai,

Welcome to Geeks To Go,

I'm sorry that we haven't got to you until now, but the forum can get hectic at times.

I am sage5 and I will be helping you with this problem.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouse click combo-fix's window while it's running. That may cause it to stall**


Cheers,

sage5

[waiwai]

HELLLLLLLLLLP

I've downloaded Combo-Fix and run it... after it reboots the computer, it was going to prepare for a log BUT suddenly, a Symantec Email Proxy started popping up NON STOP! saying: your email message to [email protected](it pops up different name of email address every time!) with the subject of Huge, thick and incredibly hard was unable to be sent because the connection to your mail server was interrupted. Please open your email client and re-send the message from the Sent Messages folder.
the other pop up says: Your email messages was unable to be sent because your mail server rejected the message.. blah blah blah.....
At the same time.. it has "another" pop up processing a scan..

NON STOP POP UPS I DIDN'T EVEN KNOw HOW TO STOP IT!!!!!!!

then I had to shut down my computer cus it's stressing me out...

Edited by waiwai, 08 March 2008 - 03:13 AM.

[waiwai]

I'm now using my other computer viewing this .. Is this one of the unpredictable result that you've just mentioned............?

I forgot that I have Norton in my computer and I didn't disable it before running ComboFix
Is this very serious...? I'm so scare... I can't even stop it popping up whenever I log on my computer.. omg... I wanna cry........

Edited by waiwai, 08 March 2008 - 03:14 AM.

[sage5]

Hi waiwai,

First, on your clean computer, I need you to download the following & save to the Desktop:
Brute Force Uninstaller

Extract BFU to a folder:

• Right click the BFU.zip file on your desktop, and choose Extract All
• Click Next
• In the box to choose where to extract the files to,
  
  • Click Browse
  • Click on the + sign next to My Computer
  • Click on Local Disk (C:) or whatever your primary drive is
  • Click Make New Folder
  • Type in BFU
• Click Next, and Uncheck the Show Extracted Files box and then click Finish.

Create a script file:

• Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
• Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)

OptionUseRecycleBin
OptionOnDeleteFailUseReboot
ProcessKill %PROGRAMFILES%\WinReanimator\WinReanimator.exe|1
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|WinReanimator
OptionUnloadShell
FolderDelete %PROGRAMFILES%\WinReanimator
SystemEmptyTempFolder
SystemRestart|1

• Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
• Save the file, to the C:\BFU folder, making sure that Type is All Files, and name it Fixanimator.bfu

Next, I need you to copy the C:\BFU folder to a USB stick or similar tranferrable media.


Reboot into Safe Mode:

• Restart your infected Computer
• As soon as it starts to boot up, tap your F8 key repeatedly.
• This should bring up the Windows Advanced Options Menu.
• Use your arrow keys to select Safe Mode and click the Enter key.

Copy the BFU folder from the USB stick to the C:\ drive of the infected PC.

Run BFU:
Go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Beside the scriptline to execute field click the folder icon and select Fixanimator.bfu
• Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.
• Reboot to normal windows.

See if that has slowed down the popups to the point that you can re run Combo-fix for me.
If so, post the text from the new C:\Combo-Fix.txt as your next Reply.

Cheers,

sage5

[waiwai]

Hi...

I followed the steps...
I run BFU in safe mode but it stopped at 71% and computer asks me to reboot in order to take effect..
So it reboots itself but the symantec email proxy is still popping up nonstop like before...

sigh

[sage5]

Hi waiwai,

I think the best way to proceed is to stop the email scanner.

• Disconnect the infected PC from the internet by unplugging the modem/router cable.
• Restart the computer in Safe Mode
• Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
• Click Options. If you see a menu, click Norton AntiVirus.
• In the left pane, click Email.
• In the right pane, uncheck Scan incoming Email and Scan outgoing Email.
• Click OK.
• If you use Norton AntiVirus 2006/2005, then in the Protection Alert dialog box, on the drop-down menu, click Permanently, and then click OK.
• Exit Norton AntiVirus.

Now, try to re-run Combo-fix, first in Normal Mode.
If that fails, try to run it in Safe Mode

Next on the clean PC download the following & save to the USB stick used earlier:
Stinger

Copy this file to the Desktop of the infected PC and continue below:

Run Stinger:

• Double click on the stng380.exe file to run the program.
• Click the Add button to add any other hard drives you may have, to the scan. (by default Stinger picks the C:\ drive)
• Click the Scan Now button

If Stinger finds a file that it cannot repair, you will need to turn off your System Restore (see instructions below)

To save the report of the scan, click the File menu and select Save report to file.
Save as C:\stinger.txt


To Turn Off System Restore:

• Click Start & right click the My Computer icon.
• Choose Properties, then the System Restore tab.
• Put a check next to Turn off System Restore on all drives.
• Click OK & Yes when you are prompted to restart Windows.

Now see if you can run HijackThis.

• Please download the latest version of HijackThis
• Choose to Save to disk.
• In the Save window, browse to C:\Program Files, and click on the Create a new folder button.
• Name the new folder HijackThis or HJT
• Save the dowload to this folder.

Run HijackThis again:

• Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
• Reconnect your router/modem cable
• Start your Web Browser and navigate back to this thread.
• Click the Add Reply button
• Copy and Paste the text into the Reply window.
• Also include the text from C:\Combo-Fix.txt & C:\stinger.txt

Please include a note to tell me how your PC is running now.

Cheers,

sage5

[waiwai]

Hi sage5

I was looking for the option menu of Norton in my computer in safe mode
but in my Norton it only has a full system scan

But I did it in Normal window mode


this is the HJT



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:02:49, on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [iTudouAutoStart] C:\Program Files\Tudou\iTudou\iTudou.exe -AutoStart
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?ec50dfba8d754abb85a7bede6ad45d66
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?ec50dfba8d754abb85a7bede6ad45d66
O8 - Extra context menu item: 妏蚚iTudou狟婥誹醴 - C:\Program Files\Tudou\iTudou\iTudou_Link.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlslink.mlxch...ectComboBox.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1154975748146
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab....geUploader4.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlslink.mlxch...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlslink.mlxch...ol/IRCSharc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9709 bytes





ComboFix 08-03-07.4 - HP_Administrator 2008-03-09 14:19:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1033.18.1558 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Desktop\WinReanimator.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk
C:\Documents and Settings\HP_Administrator\Application Data\inst.exe
C:\Program Files\WinReanimator
C:\Program Files\WinReanimator\data\daily.cvd
C:\Program Files\WinReanimator\htmlayout.dll
C:\Program Files\WinReanimator\install.exe
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll
C:\Program Files\WinReanimator\pthreadVC2.dll
C:\Program Files\WinReanimator\un.ico
C:\Program Files\WinReanimator\unzip32.dll
C:\Program Files\WinReanimator\WinReanimator.cfg
C:\Program Files\WinReanimator\WinReanimator.dll
C:\Program Files\WinReanimator\WinReanimator.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winivstr.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-07 16:33 . 2008-03-07 16:33 18,033 --a------ C:\Program Files\Common Files\cakizehav.sys
2008-03-07 16:33 . 2008-03-07 16:33 17,984 --a------ C:\Documents and Settings\HP_Administrator\Application Data\esox.sys
2008-03-07 16:33 . 2008-03-07 16:33 17,518 --a------ C:\Documents and Settings\All Users\Application Data\icyp.com
2008-03-07 16:33 . 2008-03-07 16:33 16,906 --a------ C:\Program Files\Common Files\onas.sys
2008-03-07 16:33 . 2008-03-07 16:33 14,465 --a------ C:\Documents and Settings\All Users\Application Data\yses.sys
2008-03-07 16:33 . 2008-03-07 16:33 10,782 --a------ C:\Documents and Settings\All Users\Application Data\avufysyze.dat
2008-03-07 13:38 . 2008-03-07 13:38 16,384 --a------ C:\WINDOWS\nod32se.exe
2008-03-06 13:23 . 2008-03-06 13:23 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-06 13:11 . 2008-03-06 13:12 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-03 22:54 . 2008-03-03 22:54 19,861 --a------ C:\WINDOWS\ehireh.dll
2008-03-03 22:54 . 2008-03-03 22:54 19,696 --a------ C:\WINDOWS\rilemyxod.dat
2008-03-03 22:54 . 2008-03-03 22:54 19,338 --a------ C:\Program Files\Common Files\obosidikic.dll
2008-03-03 22:54 . 2008-03-03 22:54 17,768 --a------ C:\Documents and Settings\HP_Administrator\Application Data\vygak.dll
2008-03-03 22:54 . 2008-03-03 22:54 16,208 --a------ C:\WINDOWS\hizo.dat
2008-03-03 22:54 . 2008-03-03 22:54 16,172 --a------ C:\Documents and Settings\All Users\Application Data\taxuv.bin
2008-03-03 22:54 . 2008-03-03 22:54 16,069 --a------ C:\WINDOWS\arevo.reg
2008-03-03 22:54 . 2008-03-03 22:54 15,441 --a------ C:\Documents and Settings\All Users\Application Data\qynomo.pif
2008-03-03 22:54 . 2008-03-03 22:54 14,734 --a------ C:\Documents and Settings\HP_Administrator\Application Data\ubalejop.dll
2008-03-03 22:54 . 2008-03-03 22:54 14,273 --a------ C:\WINDOWS\system32\ewycykon.dat
2008-03-03 22:54 . 2008-03-03 22:54 14,112 --a------ C:\Documents and Settings\All Users\Application Data\ysiv.pif
2008-03-03 22:54 . 2008-03-03 22:54 14,021 --a------ C:\Documents and Settings\All Users\Application Data\fypykoh.dat
2008-03-03 22:54 . 2008-03-03 22:54 13,266 --a------ C:\Documents and Settings\HP_Administrator\Application Data\fecyz.exe
2008-03-03 22:54 . 2008-03-03 22:54 12,689 --a------ C:\WINDOWS\ryqiwi.exe
2008-03-03 22:54 . 2008-03-03 22:54 12,595 --a------ C:\WINDOWS\ymijydalu.dll
2008-03-03 22:54 . 2008-03-03 22:54 12,218 --a------ C:\WINDOWS\uzikacin.db
2008-03-03 22:54 . 2008-03-03 22:54 11,525 --a------ C:\WINDOWS\ulipov.scr
2008-03-03 22:54 . 2008-03-03 22:54 10,862 --a------ C:\Documents and Settings\HP_Administrator\Application Data\elegef.reg
2008-03-03 22:54 . 2008-03-03 22:54 10,756 --a------ C:\WINDOWS\etavokyvof.dl
2008-03-03 22:54 . 2008-03-03 22:54 10,728 --a------ C:\Documents and Settings\All Users\Application Data\wojuwocy.dat
2008-03-02 11:20 . 2008-03-02 19:50 <DIR> d-------- C:\VundoFix Backups
2008-03-01 16:11 . 2008-03-01 16:11 18,518 --a------ C:\WINDOWS\enezujyvyt.reg
2008-03-01 16:11 . 2008-03-01 16:11 18,007 --a------ C:\Program Files\Common Files\irut.dll
2008-03-01 16:11 . 2008-03-01 16:11 17,874 --a------ C:\WINDOWS\acezocah.bat
2008-03-01 16:11 . 2008-03-01 16:11 16,613 --a------ C:\WINDOWS\dutegi.inf
2008-03-01 16:11 . 2008-03-01 16:11 14,529 --a------ C:\Documents and Settings\HP_Administrator\Application Data\riqymofat.dll
2008-03-01 16:11 . 2008-03-01 16:11 13,945 --a------ C:\Documents and Settings\All Users\Application Data\ifyg.bin
2008-03-01 16:11 . 2008-03-01 16:11 13,563 --a------ C:\WINDOWS\akiqefybe.vbs
2008-03-01 16:11 . 2008-03-01 16:11 12,845 --a------ C:\WINDOWS\riroz.inf
2008-03-01 16:11 . 2008-03-01 16:11 12,305 --a------ C:\Documents and Settings\HP_Administrator\Application Data\ucafenula.sys
2008-03-01 16:11 . 2008-03-01 16:11 11,222 --a------ C:\WINDOWS\uneva.reg
2008-03-01 16:11 . 2008-03-01 16:11 11,129 --a------ C:\WINDOWS\vyciwuro._sy
2008-03-01 16:06 . 2008-03-01 16:06 58,368 --a------ C:\wpohl.exe
2008-03-01 16:06 . 2008-03-01 16:06 3,584 --a------ C:\qrwkjyd.exe
2008-02-29 23:04 . 2008-02-29 23:04 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-29 23:03 . 2008-02-29 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-25 15:59 . 2008-02-27 04:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-25 14:45 . 2008-03-01 13:42 <DIR> d-------- C:\Program Files\VSO
2008-02-25 14:22 . 2008-02-25 14:46 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-25 14:22 . 2008-03-01 13:42 47,360 --a------ C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
2008-02-25 14:21 . 2008-03-01 13:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Vso
2008-02-17 11:55 . 2008-02-17 11:55 <DIR> d-------- C:\Program Files\Tudou
2008-02-15 12:05 . 2007-09-25 00:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-13 14:30 . 2008-03-06 13:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-13 14:30 . 2008-02-13 14:30 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-02-13 14:30 . 2008-02-13 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-12 21:36 . 2008-02-12 21:36 4,096 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-12 21:23 . 2008-02-12 21:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-12 02:22 . 2008-02-17 19:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 21:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-07 23:33 19,391 ----a-w C:\WINDOWS\system32\efiqu.com
2008-03-07 23:33 17,984 ----a-w C:\WINDOWS\usyhoqy.pif
2008-03-07 23:33 16,216 ----a-w C:\Program Files\Common Files\avas.ban
2008-03-07 23:33 15,449 ----a-w C:\WINDOWS\ufol.reg
2008-03-07 23:33 13,730 ----a-w C:\WINDOWS\ipit.bin
2008-03-07 23:33 13,460 ----a-w C:\WINDOWS\ygic.bin
2008-03-07 23:33 13,089 ----a-w C:\WINDOWS\system32\imid.bat
2008-03-07 23:33 12,880 ----a-w C:\WINDOWS\system32\umyr.reg
2008-03-07 23:33 12,497 ----a-w C:\WINDOWS\system32\usufaz.sys
2008-03-07 23:33 11,290 ----a-w C:\WINDOWS\huzol.vbs
2008-03-04 05:54 18,865 ----a-w C:\Program Files\Common Files\axomufulo.dl
2008-03-04 05:54 17,275 ----a-w C:\Program Files\Common Files\yhewelyc.ban
2008-03-03 06:38 --------- d-----w C:\Program Files\QuickTime
2008-03-03 06:38 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-01 23:05 --------- d-----w C:\Program Files\uTorrent
2008-03-01 23:05 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2008-03-01 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-03-01 20:45 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-03-01 20:45 --------- d-----w C:\Program Files\AVS4YOU
2008-03-01 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-01 06:06 --------- d-----w C:\Program Files\MSN Messenger
2008-03-01 06:04 --------- d-----w C:\Program Files\Windows Live
2008-02-28 05:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ahead
2008-02-26 19:19 --------- d-----w C:\Program Files\Warcraft III
2008-02-26 19:19 --------- d-----w C:\Program Files\Steam
2008-02-15 19:05 --------- d-----w C:\Program Files\Java
2008-02-10 09:43 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Error itch scr
2008-02-10 09:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\web first sixth 2
2008-01-19 21:23 --------- d-----w C:\Program Files\Foxy
2008-01-19 21:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 21:20 --------- d-----w C:\Program Files\Doom 3
2008-01-19 21:11 --------- d-----w C:\Program Files\Symantec
2008-01-19 20:46 --------- d-----w C:\Program Files\AlienGUIse
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-05-21 09:01 532,616 ----a-w C:\Program Files\ImageResizerPowertoySetup.exe
2007-04-11 05:58 1,370 ----a-r C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2005-05-12 07:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.
Files Infected - Win32.Agent.zb
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.

------- Sigcheck -------

ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
-c--a-w 359,936 2005-03-14 01:17:18 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
-c--a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c--a-w 359,040 2004-08-10 05:00:00 C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
-c----w 359,808 2005-03-14 00:55:08 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-03-08 00:58 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-08 00:59 68856]
"iTudouAutoStart"="C:\Program Files\Tudou\iTudou\iTudou.exe" [2008-03-08 00:58 958464]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-03-05 22:34 1605740]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 03:06 86016]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-09 22:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-09 22:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-09 22:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-09 22:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-09 22:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 05:54 16010240 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-03-08 00:59 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-08 00:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-03-08 01:01 26248]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [ ]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-01-16 14:06 114688]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-01-06 13:57 344064]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 03:06 7311360]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-08 00:59 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-08 01:01 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-03-08 01:00 132496]
"braviax"="braviax.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 17:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 00:12 49152 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 16:35 49152 c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-12-10 03:06 7311360 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-12-10 03:06 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-08 01:01 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-08 00:59 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"C:\\Program Files\\Steam\\SteamApps\\himeu\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\himeu\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Steam\\SteamApps\\himeu\\day of defeat source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19945:TCP"= 19945:TCP:Foxy (192.168.50.1:19945) 19945 TCP
"19945:UDP"= 19945:UDP:Foxy (192.168.50.1:19945) 19945 UDP

R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2005-08-16 08:24]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 03:44]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-01-19 11:34]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 07:31:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-08 04:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-09 21:08:00 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-06 20:11:12 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 14:24:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\infoxmid]
"ImagePath"="\??\C:\WINDOWS\inf\wseqnx.inf"
.
Completion time: 2008-03-09 14:24:59
ComboFix-quarantined-files.txt 2008-03-09 21:24:57
.
2008-02-15 18:59:58 --- E O F ---



stng380.txt


McAfee?Stinger Version 3.8.0 built on Sep 10 2007

Copyright ?2007 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Sep 10 2007.

Ready to scan for 191 viruses, trojans and variants.



Scan initiated on Sun Mar 09 14:27:43 2008

Number of clean files: 181732

Edited by waiwai, 09 March 2008 - 04:07 PM.

[waiwai]

computer seems running fine now... but my norton is still off

[sage5]

Hi waiwai,

Let's get rid of the last of the known bad files on the infected PC

Run HijackThis.

• Click the Do a system scan only button.
• Check the boxes for the all the entries listed below:

O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [iTudouAutoStart] C:\Program Files\Tudou\iTudou\iTudou.exe -AutoStart
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O8 - Extra context menu item: ??iTudou???? - C:\Program Files\Tudou\iTudou\iTudou_Link.HTM

• Now close all windows other than HijackThis and click Fix Checked.
• Close HijackThis.

Create a CombFix Script:

• Please open Notepad
  
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
• Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\Common Files\cakizehav.sys
C:\Documents and Settings\HP_Administrator\Application Data\esox.sys
C:\Documents and Settings\All Users\Application Data\icyp.com
C:\Program Files\Common Files\onas.sys
C:\Documents and Settings\All Users\Application Data\yses.sys
C:\Documents and Settings\All Users\Application Data\avufysyze.dat
C:\WINDOWS\nod32se.exe
C:\WINDOWS\ehireh.dll
C:\WINDOWS\rilemyxod.dat
C:\Program Files\Common Files\obosidikic.dll
C:\Documents and Settings\HP_Administrator\Application Data\vygak.dll
C:\WINDOWS\hizo.dat
C:\Documents and Settings\All Users\Application Data\taxuv.bin
C:\WINDOWS\arevo.reg
C:\Documents and Settings\All Users\Application Data\qynomo.pif
C:\Documents and Settings\HP_Administrator\Application Data\ubalejop.dll
C:\WINDOWS\system32\ewycykon.dat
C:\Documents and Settings\All Users\Application Data\ysiv.pif
C:\Documents and Settings\All Users\Application Data\fypykoh.dat
C:\Documents and Settings\HP_Administrator\Application Data\fecyz.exe
C:\WINDOWS\ryqiwi.exe
C:\WINDOWS\ymijydalu.dll
C:\WINDOWS\uzikacin.db
C:\WINDOWS\ulipov.scr
C:\Documents and Settings\HP_Administrator\Application Data\elegef.reg
C:\WINDOWS\etavokyvof.dl
C:\Documents and Settings\All Users\Application Data\wojuwocy.dat
C:\WINDOWS\enezujyvyt.reg
C:\Program Files\Common Files\irut.dll
C:\WINDOWS\acezocah.bat
C:\WINDOWS\dutegi.inf
C:\Documents and Settings\HP_Administrator\Application Data\riqymofat.dll
C:\Documents and Settings\All Users\Application Data\ifyg.bin
C:\WINDOWS\akiqefybe.vbs
C:\WINDOWS\riroz.inf
C:\Documents and Settings\HP_Administrator\Application Data\ucafenula.sys
C:\WINDOWS\uneva.reg
C:\WINDOWS\vyciwuro._sy
C:\wpohl.exe
C:\qrwkjyd.exe
C:\WINDOWS\system32\efiqu.com
C:\WINDOWS\usyhoqy.pif
C:\Program Files\Common Files\avas.ban
C:\WINDOWS\ufol.reg
C:\WINDOWS\ipit.bin
C:\WINDOWS\ygic.bin
C:\WINDOWS\system32\imid.bat
C:\WINDOWS\system32\umyr.reg
C:\WINDOWS\system32\usufaz.sys
C:\WINDOWS\huzol.vbs
C:\Program Files\Common Files\axomufulo.dl
C:\Program Files\Common Files\yhewelyc.ban
C:\WINDOWS\inf\wseqnx.inf

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\infoxmid]

• Save the above as CFScript.txt
• Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  
• After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  
• Combofix.txt
• A new HijackThis log.

I think you can now re-enable your Norton applications.

Cheers,

sage5

[waiwai]

ComboFix 08-03-07.4 - HP_Administrator 2008-03-10 0:10:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1033.18.1526 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\Application Data\avufysyze.dat
C:\Documents and Settings\All Users\Application Data\fypykoh.dat
C:\Documents and Settings\All Users\Application Data\icyp.com
C:\Documents and Settings\All Users\Application Data\ifyg.bin
C:\Documents and Settings\All Users\Application Data\qynomo.pif
C:\Documents and Settings\All Users\Application Data\taxuv.bin
C:\Documents and Settings\All Users\Application Data\wojuwocy.dat
C:\Documents and Settings\All Users\Application Data\yses.sys
C:\Documents and Settings\All Users\Application Data\ysiv.pif
C:\Documents and Settings\HP_Administrator\Application Data\elegef.reg
C:\Documents and Settings\HP_Administrator\Application Data\esox.sys
C:\Documents and Settings\HP_Administrator\Application Data\fecyz.exe
C:\Documents and Settings\HP_Administrator\Application Data\riqymofat.dll
C:\Documents and Settings\HP_Administrator\Application Data\ubalejop.dll
C:\Documents and Settings\HP_Administrator\Application Data\ucafenula.sys
C:\Documents and Settings\HP_Administrator\Application Data\vygak.dll
C:\Program Files\Common Files\avas.ban
C:\Program Files\Common Files\axomufulo.dl
C:\Program Files\Common Files\cakizehav.sys
C:\Program Files\Common Files\irut.dll
C:\Program Files\Common Files\obosidikic.dll
C:\Program Files\Common Files\onas.sys
C:\Program Files\Common Files\yhewelyc.ban
C:\qrwkjyd.exe
C:\WINDOWS\acezocah.bat
C:\WINDOWS\akiqefybe.vbs
C:\WINDOWS\arevo.reg
C:\WINDOWS\dutegi.inf
C:\WINDOWS\ehireh.dll
C:\WINDOWS\enezujyvyt.reg
C:\WINDOWS\etavokyvof.dl
C:\WINDOWS\hizo.dat
C:\WINDOWS\huzol.vbs
C:\WINDOWS\inf\wseqnx.inf
C:\WINDOWS\ipit.bin
C:\WINDOWS\nod32se.exe
C:\WINDOWS\rilemyxod.dat
C:\WINDOWS\riroz.inf
C:\WINDOWS\ryqiwi.exe
C:\WINDOWS\system32\efiqu.com
C:\WINDOWS\system32\ewycykon.dat
C:\WINDOWS\system32\imid.bat
C:\WINDOWS\system32\umyr.reg
C:\WINDOWS\system32\usufaz.sys
C:\WINDOWS\ufol.reg
C:\WINDOWS\ulipov.scr
C:\WINDOWS\uneva.reg
C:\WINDOWS\usyhoqy.pif
C:\WINDOWS\uzikacin.db
C:\WINDOWS\vyciwuro._sy
C:\WINDOWS\ygic.bin
C:\WINDOWS\ymijydalu.dll
C:\wpohl.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 22:11 . 2008-03-09 22:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 22:11 . 2008-03-09 22:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-07 16:33 . 2008-03-07 16:33 16,677 --a------ C:\WINDOWS\system32\upole.dl
2008-03-07 16:33 . 2008-03-07 16:33 15,408 --a------ C:\WINDOWS\qemyle.ban
2008-03-07 16:33 . 2008-03-07 16:33 13,444 --a------ C:\WINDOWS\zudecewes.ban
2008-03-07 16:33 . 2008-03-07 16:33 10,639 --a------ C:\WINDOWS\uqamuw.dl
2008-03-06 13:23 . 2008-03-06 13:23 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-06 13:11 . 2008-03-06 13:12 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-02 11:20 . 2008-03-02 19:50 <DIR> d-------- C:\VundoFix Backups
2008-02-29 23:04 . 2008-02-29 23:04 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-29 23:03 . 2008-02-29 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-25 15:59 . 2008-02-27 04:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-25 14:45 . 2008-03-01 13:42 <DIR> d-------- C:\Program Files\VSO
2008-02-25 14:22 . 2008-02-25 14:46 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-25 14:22 . 2008-03-01 13:42 47,360 --a------ C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
2008-02-25 14:21 . 2008-03-01 13:42 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Vso
2008-02-17 11:55 . 2008-02-17 11:55 <DIR> d-------- C:\Program Files\Tudou
2008-02-15 12:05 . 2007-09-25 00:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-13 14:30 . 2008-03-06 13:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-13 14:30 . 2008-02-13 14:30 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-02-13 14:30 . 2008-02-13 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-12 21:36 . 2008-02-12 21:36 4,096 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-12 21:23 . 2008-02-12 21:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-12 02:22 . 2008-02-17 19:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 21:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-03 06:38 --------- d-----w C:\Program Files\QuickTime
2008-03-03 06:38 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-01 23:05 --------- d-----w C:\Program Files\uTorrent
2008-03-01 23:05 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2008-03-01 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-03-01 20:45 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-03-01 20:45 --------- d-----w C:\Program Files\AVS4YOU
2008-03-01 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-01 06:06 --------- d-----w C:\Program Files\MSN Messenger
2008-03-01 06:04 --------- d-----w C:\Program Files\Windows Live
2008-02-28 05:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ahead
2008-02-26 19:19 --------- d-----w C:\Program Files\Warcraft III
2008-02-26 19:19 --------- d-----w C:\Program Files\Steam
2008-02-15 19:05 --------- d-----w C:\Program Files\Java
2008-02-10 09:43 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Error itch scr
2008-02-10 09:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\web first sixth 2
2008-01-19 21:23 --------- d-----w C:\Program Files\Foxy
2008-01-19 21:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 21:20 --------- d-----w C:\Program Files\Doom 3
2008-01-19 21:11 --------- d-----w C:\Program Files\Symantec
2008-01-19 20:46 --------- d-----w C:\Program Files\AlienGUIse
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-05-21 09:01 532,616 ----a-w C:\Program Files\ImageResizerPowertoySetup.exe
2007-04-11 05:58 1,370 ----a-r C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2005-05-12 07:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.
Files Infected - Win32.Agent.zb
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.

------- Sigcheck -------

ed06c31200714e734118f9a47f5df5ce C:\WINDOWS\system32\drivers\tcpip.sys
-c--a-w 359,936 2005-03-14 01:17:18 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
-c--a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c--a-w 359,040 2004-08-10 05:00:00 C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
-c----w 359,808 2005-03-14 00:55:08 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-03-09_14.24.40.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 16:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 15:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-03-08 00:58 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-08 00:59 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-03-05 22:34 1605740]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 03:06 86016]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-09 22:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-09 22:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-09 22:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-09 22:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-09 22:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 05:54 16010240 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-03-08 00:59 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-08 00:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-03-08 01:01 26248]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [ ]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-01-16 14:06 114688]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-01-06 13:57 344064]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 03:06 7311360]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-08 00:59 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-08 01:01 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-03-08 01:00 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 17:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 00:12 49152 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 16:35 49152 c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-12-10 03:06 7311360 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-12-10 03:06 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-08 01:01 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-08 00:59 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"C:\\Program Files\\Steam\\SteamApps\\himeu\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\himeu\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Steam\\SteamApps\\himeu\\day of defeat source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19945:TCP"= 19945:TCP:Foxy (192.168.50.1:19945) 19945 TCP
"19945:UDP"= 19945:UDP:Foxy (192.168.50.1:19945) 19945 UDP

R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2005-08-16 08:24]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 03:44]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-01-19 11:34]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 06:31:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-08 04:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-10 06:58:20 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-06 20:11:12 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 00:12:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-10 0:13:06
ComboFix-quarantined-files.txt 2008-03-10 07:13:04
ComboFix2.txt 2008-03-10 07:04:39
ComboFix3.txt 2008-03-09 21:25:00
.
2008-02-15 18:59:58 --- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:14:42, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?ec50dfba8d754abb85a7bede6ad45d66
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?ec50dfba8d754abb85a7bede6ad45d66
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlslink.mlxch...ectComboBox.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1154975748146
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab....geUploader4.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlslink.mlxch...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlslink.mlxch...ol/IRCSharc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9310 bytes

[sage5]

Hi waiwai,

Please download the following & save to your Desktop:
OTMoveIt2 by OldTimer.

I see you have uTorrent installed on your system.
While the program itself is legal, most of the files downloaded with it, are not.
These programs can also be one of the major infection routes for an otherwise secure PC, because you might be unknowingly downloading infected files.
I highly recommend uninstalling uTorrent as outlined below.


Remove folders & files:

• Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
  uTorrent
  Please take note of any other programs that you don't recognise in that list, and include them in your next response

Run OTMoveIt2:

• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  

  C:\WINDOWS\system32\upole.dl
  C:\WINDOWS\qemyle.ban
  C:\WINDOWS\zudecewes.ban
  C:\WINDOWS\uqamuw.dl
  C:\Program Files\Tudou
  C:\WINDOWS\system32\Thumbs.db
  C:\Program Files\uTorrent
  C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
  C:\Documents and Settings\HP_Administrator\Application Data\Error itch scr
  C:\Documents and Settings\All Users\Application Data\web first sixth 2

• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• Open Notepad
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
• Paste the text into the Notepad file, click in the window and press Ctrl + V.
• Click "Exit" to close OTMoveIt.
• Save the text file as C:\otmove.txt

(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Read the FAQ and information about Supported Browsers
• Click the Start Scanning button
• If you get a Security warning, or the Information Bar at the top of the IE7 page flashes, Allow permission for the ActiveX to run
• click the Accept button
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish, so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy & Paste the entire report into a new Notepad file, saved as C:\ f_secure.txt

Please paste the textt from C:\ f_secure.txt & C:\otmove.txt as your next reply

Cheers,

sage5

[waiwai]

C:\WINDOWS\system32\upole.dl moved successfully.
C:\WINDOWS\qemyle.ban moved successfully.
C:\WINDOWS\zudecewes.ban moved successfully.
C:\WINDOWS\uqamuw.dl moved successfully.
C:\Program Files\Tudou\iTudou\user moved successfully.
C:\Program Files\Tudou\iTudou\update moved successfully.
C:\Program Files\Tudou\iTudou\temp moved successfully.
C:\Program Files\Tudou\iTudou\jnc909\wrong moved successfully.
C:\Program Files\Tudou\iTudou\jnc909\ready moved successfully.
C:\Program Files\Tudou\iTudou\jnc909\pic moved successfully.
C:\Program Files\Tudou\iTudou\jnc909\downloadinfo moved successfully.
C:\Program Files\Tudou\iTudou\jnc909\download moved successfully.
C:\Program Files\Tudou\iTudou\jnc909 moved successfully.
C:\Program Files\Tudou\iTudou\homepage moved successfully.
C:\Program Files\Tudou\iTudou moved successfully.
C:\Program Files\Tudou moved successfully.
C:\WINDOWS\system32\Thumbs.db moved successfully.
C:\Program Files\uTorrent moved successfully.
C:\Documents and Settings\HP_Administrator\Application Data\uTorrent moved successfully.
C:\Documents and Settings\HP_Administrator\Application Data\Error itch scr moved successfully.
C:\Documents and Settings\All Users\Application Data\web first sixth 2 moved successfully.

OTMoveIt2 v1.0.21 log created on 03102008_124149










Scanning Report
Monday, March 10, 2008 12:53:14 - 14:16:15
Computer name: JJ
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 4 malware found
AdWare.Win32.Virtumonde (spyware)
System
Tracking Cookie (spyware)
System
Trojan-Downloader.Win32.Small.ieg (virus)
System
Vundo.gen59 (virus)
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\CRACK.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 46911
System: 5230
Not scanned: 10
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 4
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{938B675F-2258-4DE1-8880-CD8A0249B394}.BIN
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_1383251974_4653056_1299

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.20.0
F-Secure Blacklight: 1.0.64
F-Secure Hydra: 2.6.7470, 2008-03-10
F-Secure Pegasus: 1.20.0, 2008-02-07
F-Secure AVP: 7.0.171, 2008-03-10
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Edited by waiwai, 10 March 2008 - 03:18 PM.

[sage5]

Hi waiwai,

Lets get a final check scan with a good anti-malware application:

Please download the following & save to your Desktop:
Malwarebytes' Anti-Malware from Here or Here

Run Malwarebytes' Anti-Malware:
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy & Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.

Shut down & Reboot normally:

Run HijackThis again:

• Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
• Start your Web Browser and navigate back to this thread.
• Click the Add Reply button
• Copy and Paste the text into the Reply window.

Please include a note to tell me how your PC is running now.

Cheers,

sage5

[waiwai]

Malwarebytes' Anti-Malware 1.08
Database version: 482

Scan type: Quick Scan
Objects scanned: 35005
Time elapsed: 1 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:15:56, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\NJStar Communicator\Njcom32.exe
C:\Program Files\NJStar Communicator\NJSIME.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?ec50dfba8d754abb85a7bede6ad45d66
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?ec50dfba8d754abb85a7bede6ad45d66
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlslink.mlxch...ectComboBox.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1154975748146
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab....geUploader4.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlslink.mlxch...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlslink.mlxch...ol/IRCSharc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9655 bytes

Edited by waiwai, 12 March 2008 - 03:16 PM.