Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

kxvo.exe PLEASE HELP [RESOLVED]


  • This topic is locked This topic is locked

#121
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It was at the bottom of the Home page.
But here is the link. http://support.f-sec.../home/ols.shtml go tot he bottom of that page and click the Start scanning button.
  • 0

Advertisements


#122
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Please don't close this topic yet. I'll post the log the soonest. The scanner takes too long to scan. Thanks!
  • 0

#123
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No worries I won't close it unless you don't respond in 2 weeks :)
  • 0

#124
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Scanning Report
Wednesday, April 09, 2008 23:17:09 - 00:45:00

Computer name: CLARONE
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 3 malware found
BAT/AutoRun.AE (virus)

* C:\AUTORUN.INF (Submitted)
* D:\AUTORUN.INF (Submitted)

Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 40056
* System: 3808
* Not scanned: 9

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 2

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\SQLITE_AEK8SHIDW11PLJY
* C:\WINDOWS\TEMP\SQLITE_DCPLX9VFLMYAW5E
* C:\WINDOWS\TEMP\SQLITE_N4CM2JNSAFFKFYK
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-04-09
* F-Secure AVP: 7.0.171, 2008-04-09
* F-Secure Pegasus: 1.20.0, 2008-02-28
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics
  • 0

#125
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\AUTORUN.INF
    D:\AUTORUN.INF
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============
After that please run dss again and post that log and the move it log.
Let me know how it's running?
  • 0

#126
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Still, mozilla's page not found is redirected to a download of an application. I also would like to further establish other effects of the malware. When Yahoo Messenger Tray Icon Error Appears, it opens a debug in Microsoft Developer Studio. This has been happening since the redirection and Yahoo Messenger failure to sign in. Hope it helps.

C:\AUTORUN.INF moved successfully.
D:\AUTORUN.INF moved successfully.

OTMoveIt2 v1.0.21 log created on 04102008_200823

Deckard's System Scanner v20071014.68
Run by Ruberc on 2008-04-10 20:09:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Ruberc.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:43 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ruberc\Desktop\New Folder\OTMoveIt2.exe
C:\Documents and Settings\Ruberc\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ruberc.exe
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\msdev.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 6835 bytes

-- Files created between 2008-03-10 and 2008-04-10 -----------------------------

2008-04-10 20:06:44 0 d-------- C:\WINDOWS\LastGood
2008-04-09 10:09:12 0 d-------- C:\fsaua.data
2008-04-09 08:24:18 155578 -r-hs---- C:\gvsqikes.cmd
2008-04-08 11:26:00 157333 -r-hs---- C:\n2.bat
2008-04-06 22:45:22 88064 -r-hs---- C:\WINDOWS\system32\fool0.dll
2008-04-06 20:24:51 0 d-------- C:\WINDOWS\BDOSCAN8
2008-04-05 10:03:16 158774 -r-hs---- C:\lpufwi6.com
2008-04-05 10:02:49 88064 -r-hs---- C:\WINDOWS\system32\fool1.dll
2008-04-05 10:02:01 155578 -r-hs---- C:\WINDOWS\system32\kxvo.exe
2008-04-04 09:55:17 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-03 18:59:43 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-03 18:59:43 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-03 18:59:43 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-03 18:59:43 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-31 11:04:22 0 d-------- C:\Downloads
2008-03-31 11:04:22 0 d-------- C:\Bases
2008-03-31 11:02:48 0 d-------- C:\Kaspersky
2008-03-29 23:47:58 0 d-------- C:\WINDOWS\network diagnostic
2008-03-27 11:24:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-27 11:24:36 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-24 13:56:23 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-03-24 13:56:11 0 d-------- C:\Program Files\Saxton NCLEX-RN® 18e
2008-03-16 19:08:19 0 d-------- C:\Documents and Settings\russ\Application Data\PC Suite
2008-03-11 21:47:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-11 06:16:00 0 d-------- C:\Program Files\EPSON
2008-03-11 06:15:50 0 d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-10 00:14:04 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-03-27 19:51:19 0 d-------- C:\Program Files\Yahoo!
2008-03-27 09:43:49 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Yahoo!
2008-03-24 21:36:06 0 d-------- C:\Program Files\QuickTime
2008-03-24 21:35:00 0 d-------- C:\Program Files\MSN Messenger
2008-03-24 21:29:14 0 d-------- C:\Program Files\Messenger
2008-03-24 21:28:37 0 d-------- C:\Program Files\iTunes
2008-03-08 17:45:21 0 d-------- C:\Program Files\Common Files
2008-03-04 18:43:12 2082 --a------ C:\WINDOWS\mozver.dat
2008-03-01 00:00:17 0 d-------- C:\Documents and Settings\Ruberc\Application Data\McAfee.com Personal Firewall
2008-02-28 21:51:11 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Adobe
2008-02-26 18:43:39 8554 --a------ C:\logfile
2008-02-26 18:43:22 0 d-------- C:\Program Files\KODAK
2008-02-26 18:43:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-25 20:31:50 0 d-------- C:\Program Files\ArcSoft
2008-02-25 19:52:34 0 d-------- C:\Program Files\Common Files\KODAK
2008-02-24 10:10:48 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [04/20/2005 01:38 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [04/20/2005 01:38 AM]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 12:05 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [09/22/2005 06:29 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [03/23/2005 04:33 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:56 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"kxva"="C:\WINDOWS\system32\kxvo.exe" [04/09/2008 08:23 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ARC"="C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 03/18/2005 03:07 AM 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 08/12/2004 08:11 PM 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ruberc^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Ruberc\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTRAY]
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
tp4serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
c:\progra~1\mcafee\MCAFEE~1\masalert.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3244f700-b7bf-11dc-a8b1-000ae435643f}]
AutoRun\command- F:\lpufwi6.com
explore\Command- F:\lpufwi6.com
open\Command- F:\lpufwi6.com




-- End of Deckard's System Scanner: finished at 2008-04-10 20:10:51 ------------
  • 0

#127
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
This thing is very resilient.

I would like for you to uninstall yahoo as maybe it could be connected somehow.
I would just like to try it.
=================
Then
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
===============================
  • Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Files to delete:
    C:\WINDOWS\system32\ieso0.dll
    C:\WINDOWS\system32\kxvo.exe
    C:\fsaua.data
    C:\gvsqikes.cmd
    C:\WINDOWS\system32\fool0.dll
    C:\lpufwi6.com
    C:\WINDOWS\system32\fool1.dll
    F:\lpufwi6.com
    
    Registry keys to delete:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
    
    Registry values to delete:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | kxva

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    Please copy/paste the content of c:\avenger.txt into your reply.
    =========================================================
    AFter that Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
  • 0

#128
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Sorry for the late response. I think the camera previously inserted by another person in this PC made the virus come back.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\kso6.bat" deleted successfully.
File "D:\dhv2u8.cmd" deleted successfully.
File "D:\kso6.bat" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun Apr 13 21:30:23 2008

21:30:23: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun Apr 13 21:30:40 2008

21:30:36: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|kxva"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
21:30:40: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun Apr 13 21:31:00 2008

21:31:00: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun Apr 13 21:31:10 2008

21:31:08: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|kxva"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\ieso0.dll" deleted successfully.
File "C:\WINDOWS\system32\kxvo.exe" deleted successfully.

Error: "C:\fsaua.data" is a folder, not a file!
Deletion of file "C:\fsaua.data" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

File "C:\gvsqikes.cmd" deleted successfully.
File "C:\WINDOWS\system32\fool0.dll" deleted successfully.
File "C:\lpufwi6.com" deleted successfully.
File "C:\WINDOWS\system32\fool1.dll" deleted successfully.

Error: could not open file "F:\lpufwi6.com"
Deletion of file "F:\lpufwi6.com" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#129
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
otscanit log

Attached Files


Edited by amm007, 13 April 2008 - 08:04 AM.

  • 0

#130
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Before proceeding please enter all the removable devices that you believe are infected.
(Keep all devices inserted until the end of all of these instructions)

Then with all of them plugged in run the flash disinfector again.
Then do the following:
1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat 
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Windows\system32\kxvo.exe
C:\WINDOWS\system32\ieso0.dll
C:\n2.bat 
C:\sqmdata00.sqm
C:\sqmdata01.sqm 
C:\sqmdata02.sqm
C:\w2ngo.com
C:\sqmdata03.sqm  
C:\sqmdata04.sqm 
C:\sqmdata05.sqm 
C:\sqmdata06.sqm 
C:\sqmdata07.sqm 
C:\sqmdata08.sqm 
C:\sqmdata09.sqm 
C:\sqmdata10.sqm 
C:\sqmdata11.sqm 
C:\sqmdata12.sqm 
C:\sqmdata13.sqm 
C:\sqmdata14.sqm 
C:\sqmdata15.sqm 
C:\sqmdata16.sqm 
C:\sqmdata17.sqm 
C:\sqmdata18.sqm 
C:\sqmdata19.sqm 
C:\sqmnoopt00.sqm 
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm 
C:\sqmnoopt03.sqm 
C:\sqmnoopt04.sqm 
C:\sqmnoopt05.sqm 
C:\sqmnoopt06.sqm 
C:\sqmnoopt07.sqm 
C:\sqmnoopt08.sqm 
C:\sqmnoopt09.sqm 
C:\sqmnoopt10.sqm 
C:\sqmnoopt11.sqm 
C:\sqmnoopt12.sqm 
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm 
C:\sqmnoopt15.sqm 
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm 
C:\sqmnoopt18.sqm 
C:\sqmnoopt19.sqm

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply .
==========================================================
Then immediatley update the e-scan program boot into safe mode and scan the entire computer as we did before.
Post that log.
===========
Then:
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.
======================
Post back with these logs:
New dss log
The AVenger log
Escan log
KAspersky log

  • 0

Advertisements


#131
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat" deleted successfully.
File "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat" deleted successfully.

Error: file "C:\Windows\system32\kxvo.exe" not found!
Deletion of file "C:\Windows\system32\kxvo.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ieso0.dll" not found!
Deletion of file "C:\WINDOWS\system32\ieso0.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\n2.bat" deleted successfully.
File "C:\sqmdata00.sqm" deleted successfully.
File "C:\sqmdata01.sqm" deleted successfully.
File "C:\sqmdata02.sqm" deleted successfully.
File "C:\w2ngo.com" deleted successfully.
File "C:\sqmdata03.sqm" deleted successfully.
File "C:\sqmdata04.sqm" deleted successfully.
File "C:\sqmdata05.sqm" deleted successfully.
File "C:\sqmdata06.sqm" deleted successfully.
File "C:\sqmdata07.sqm" deleted successfully.
File "C:\sqmdata08.sqm" deleted successfully.
File "C:\sqmdata09.sqm" deleted successfully.
File "C:\sqmdata10.sqm" deleted successfully.
File "C:\sqmdata11.sqm" deleted successfully.
File "C:\sqmdata12.sqm" deleted successfully.
File "C:\sqmdata13.sqm" deleted successfully.
File "C:\sqmdata14.sqm" deleted successfully.
File "C:\sqmdata15.sqm" deleted successfully.
File "C:\sqmdata16.sqm" deleted successfully.
File "C:\sqmdata17.sqm" deleted successfully.
File "C:\sqmdata18.sqm" deleted successfully.
File "C:\sqmdata19.sqm" deleted successfully.
File "C:\sqmnoopt00.sqm" deleted successfully.
File "C:\sqmnoopt01.sqm" deleted successfully.
File "C:\sqmnoopt02.sqm" deleted successfully.
File "C:\sqmnoopt03.sqm" deleted successfully.
File "C:\sqmnoopt04.sqm" deleted successfully.
File "C:\sqmnoopt05.sqm" deleted successfully.
File "C:\sqmnoopt06.sqm" deleted successfully.
File "C:\sqmnoopt07.sqm" deleted successfully.
File "C:\sqmnoopt08.sqm" deleted successfully.
File "C:\sqmnoopt09.sqm" deleted successfully.
File "C:\sqmnoopt10.sqm" deleted successfully.
File "C:\sqmnoopt11.sqm" deleted successfully.
File "C:\sqmnoopt12.sqm" deleted successfully.
File "C:\sqmnoopt13.sqm" deleted successfully.
File "C:\sqmnoopt14.sqm" deleted successfully.
File "C:\sqmnoopt15.sqm" deleted successfully.
File "C:\sqmnoopt16.sqm" deleted successfully.
File "C:\sqmnoopt17.sqm" deleted successfully.
File "C:\sqmnoopt18.sqm" deleted successfully.
File "C:\sqmnoopt19.sqm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#132
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Deckard's System Scanner v20071014.68
Run by Ruberc on 2008-04-17 21:14:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Ruberc.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:27 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ruberc\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ruberc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 6662 bytes

-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-09 10:09:12 0 d-------- C:\fsaua.data
2008-04-06 20:24:51 0 d-------- C:\WINDOWS\BDOSCAN8
2008-04-04 09:55:17 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-03 18:59:43 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-03 18:59:43 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-03 18:59:43 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-03 18:59:43 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-31 11:04:22 0 d-------- C:\Downloads
2008-03-31 11:04:22 0 d-------- C:\Bases
2008-03-31 11:02:48 0 d-------- C:\Kaspersky
2008-03-29 23:47:58 0 d-------- C:\WINDOWS\network diagnostic
2008-03-27 11:24:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-27 11:24:36 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-24 13:56:23 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-03-24 13:56:11 0 d-------- C:\Program Files\Saxton NCLEX-RN® 18e


-- Find3M Report ---------------------------------------------------------------

2008-03-27 19:51:19 0 d-------- C:\Program Files\Yahoo!
2008-03-27 09:43:49 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Yahoo!
2008-03-24 21:36:06 0 d-------- C:\Program Files\QuickTime
2008-03-24 21:35:00 0 d-------- C:\Program Files\MSN Messenger
2008-03-24 21:29:14 0 d-------- C:\Program Files\Messenger
2008-03-24 21:28:37 0 d-------- C:\Program Files\iTunes
2008-03-11 06:16:00 0 d-------- C:\Program Files\EPSON
2008-03-10 00:14:04 0 d-------- C:\Program Files\Trend Micro
2008-03-08 17:45:21 0 d-------- C:\Program Files\Common Files
2008-03-04 18:43:12 2082 --a------ C:\WINDOWS\mozver.dat
2008-03-01 00:00:17 0 d-------- C:\Documents and Settings\Ruberc\Application Data\McAfee.com Personal Firewall
2008-02-28 21:51:11 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Adobe
2008-02-26 18:43:39 8554 --a------ C:\logfile
2008-02-26 18:43:22 0 d-------- C:\Program Files\KODAK
2008-02-26 18:43:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-25 20:31:50 0 d-------- C:\Program Files\ArcSoft
2008-02-25 19:52:34 0 d-------- C:\Program Files\Common Files\KODAK
2008-02-24 10:10:48 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [04/20/2005 01:38 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [04/20/2005 01:38 AM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [01/11/2006 12:05 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [09/22/2005 06:29 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [03/23/2005 04:33 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:56 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"kxva"="C:\WINDOWS\system32\kxvo.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ARC"="C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 03/18/2005 03:07 AM 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 08/12/2004 08:11 PM 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ruberc^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Ruberc\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTRAY]
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
tp4serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
c:\progra~1\mcafee\MCAFEE~1\masalert.exe




-- End of Deckard's System Scanner: finished at 2008-04-17 21:15:32 ------------
  • 0

#133
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Looks good how are things running?

Have Hijackthis fix this entry :
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
Then close Hijackthis.
=================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0

#134
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Still doing the two scans.Will post the two results first before fixing with HJT.
  • 0

#135
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
ok :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP