Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HELP: Win32: TratBHO [Trj] [RESOLVED]

Started by becca_hoo , May 08 2008 03:20 AM

  • This topic is locked This topic is locked

#16
Mike
Posted 10 May 2008 - 10:37 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there becca hoo,

It would be a good thing to do, please do this.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After you have done this proceed with the above steps. This means combofix will run twice, please only post the log produced by the second run (The one where you will use the "CFScript").
  • 0

Advertisements

#17
becca_hoo
Posted 10 May 2008 - 06:34 PM

becca_hoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hi mike, sorry the scans took forever and our timezones dont help either.. anyway, below are the logs that you requested.


Combofix.txt log
ComboFix 08-05-08.1 - Rebecca 2008-05-11 1:06:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.474 [GMT 10:00]
Running from: C:\Documents and Settings\Rebecca\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rebecca\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Rebecca\Desktop\Tomo Bear\IMG_1606.JPG
C:\WINDOWS\BM537cb3b4.xml
C:\WINDOWS\system32\bwfwxhbn.exe
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\sxspirsv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\WINDOWS\BM537cb3b4.xml
C:\WINDOWS\system32\bwfwxhbn.exe
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\sxspirsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_LVUVC


((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.

2008-06-05 21:40 . 2008-05-09 16:53 443,573 --a------ C:\WINDOWS\system32\EPSETUP.CAB
2008-06-05 21:40 . 2008-05-09 16:53 288,201 --a------ C:\WINDOWS\system32\EPPRTDRV.CAB
2008-06-05 21:40 . 2008-05-09 16:53 8,284 --a------ C:\WINDOWS\system32\eps_icon.avi
2008-06-05 21:34 . 2008-06-05 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-05-09 20:36 . 2008-05-09 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-05-09 20:34 . 2008-05-09 20:34 <DIR> d-------- C:\SophosAnti-Virus
2008-05-09 17:45 . 2008-05-09 17:45 <DIR> d-------- C:\_OTMoveIt
2008-05-09 17:28 . 2008-05-09 17:28 <DIR> d-------- C:\VundoFix Backups
2008-05-09 16:46 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-09 16:44 . 2008-05-09 16:46 <DIR> d-------- C:\Program Files\Java
2008-05-09 16:44 . 2008-05-09 16:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-09 09:26 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-05-09 09:26 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-05-08 19:05 . 2008-05-08 19:05 <DIR> d-------- C:\Deckard
2008-05-08 09:01 . 2008-05-08 09:01 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-05-08 00:35 . 2008-05-08 00:35 <DIR> d-------- C:\Documents and Settings\Rebecca\Application Data\Nero
2008-05-08 00:25 . 2008-05-09 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-03 12:32 . 2008-05-08 00:25 <DIR> d-------- C:\Program Files\Nero
2008-05-03 11:28 . 2008-05-03 11:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-03 11:28 . 2008-05-03 11:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-01 13:12 . 2008-05-01 13:12 <DIR> d-------- C:\Program Files\EA GAMES
2008-05-01 13:12 . 2004-08-18 18:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-04-30 13:27 . 2008-04-30 13:27 <DIR> dr------- C:\Documents and Settings\Rebecca\Application Data\Brother
2008-04-30 13:25 . 2008-05-09 00:12 426 --a------ C:\WINDOWS\BRWMARK.INI
2008-04-30 13:25 . 2008-04-30 13:25 34 --a------ C:\WINDOWS\system32\BD2140.DAT
2008-04-30 13:23 . 2008-04-30 13:23 <DIR> d-------- C:\Program Files\Brownie
2008-04-30 13:23 . 2004-08-10 00:42 77,824 --a------ C:\WINDOWS\system32\brlmw03a.dll
2008-04-30 13:23 . 2008-04-30 13:23 9,853 --a------ C:\WINDOWS\HL-2140.INI
2008-04-30 13:23 . 2008-04-30 13:23 145 --a------ C:\WINDOWS\BRVIDEO.INI
2008-04-30 13:23 . 2004-08-10 01:00 114 --a------ C:\WINDOWS\system32\brlmw03a.ini
2008-04-30 13:23 . 2008-04-30 13:23 0 --a------ C:\WINDOWS\brmx2001.ini
2008-04-30 13:20 . 2008-04-30 13:23 <DIR> d-------- C:\Program Files\Brother
2008-04-30 13:20 . 2007-04-24 01:30 192,512 --a------ C:\WINDOWS\system32\Pdrvinst.dll
2008-04-30 13:20 . 2006-12-21 11:23 176,128 --a------ C:\WINDOWS\system32\BROSNMP.DLL
2008-04-30 13:20 . 2007-08-20 02:34 94,208 --a------ C:\WINDOWS\system32\BRRBTOOL.EXE
2008-04-30 13:20 . 2004-09-24 01:00 24,223 --a------ C:\WINDOWS\system32\BRLM03A.DLL
2008-04-30 13:19 . 2008-05-11 01:27 318 --a------ C:\WINDOWS\Brownie.ini
2008-04-21 20:50 . 2008-04-21 20:50 <DIR> d-------- C:\ATI
2008-04-18 20:01 . 2008-04-18 21:26 <DIR> d-------- C:\Program Files\Grim Fandango
2008-04-14 21:41 . 2008-04-14 21:41 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-14 21:40 . 2008-04-14 21:40 <DIR> d-------- C:\Program Files\Real
2008-04-11 08:57 . 2008-04-23 10:06 <DIR> d-------- C:\Games
2008-04-10 08:21 . 2008-04-10 08:21 <DIR> d-------- C:\Program Files\Telltale Games
2008-04-10 00:01 . 1997-05-12 17:53 314,368 --a------ C:\WINDOWS\uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 11:43 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-10 14:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-10 09:41 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\Skype
2008-05-08 23:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 23:34 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-08 09:10 --------- d-----w C:\Program Files\Trend Micro
2008-05-07 14:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-03 02:28 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-03 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-03 01:31 --------- d-----w C:\Program Files\DivX
2008-05-03 01:30 --------- d-----w C:\Program Files\CloneDVD
2008-05-03 01:29 --------- d-----w C:\Program Files\QuickTime
2008-05-01 05:52 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\AdobeUM
2008-04-23 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-22 21:55 --------- d-----w C:\Program Files\PopCap Games
2008-04-16 10:23 --------- d-----w C:\Program Files\MSN Messenger
2008-04-16 10:23 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-14 11:41 --------- d-----w C:\Program Files\Common Files\Real
2008-04-10 07:38 --------- d-----w C:\Program Files\Ubisoft
2008-03-27 10:41 --------- d-----w C:\Program Files\DVDVideoSoft
2008-03-27 10:41 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-03-14 15:21 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\DisplayTune
2008-03-14 15:18 --------- d-----w C:\Program Files\Common Files\Portrait Displays
2008-03-14 15:17 --------- d-----w C:\Program Files\Portrait Displays
2006-07-30 11:28 24,192 -c--a-w C:\Documents and Settings\Rebecca\usbsermptxp.sys
2006-07-30 11:28 22,768 -c--a-w C:\Documents and Settings\Rebecca\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-10_ 9.51.19.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 23:43:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-10 15:25:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 06:00 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CIR"="C:\WINDOWS\system32\drivers\CIR.exe" [2006-02-14 02:20 28672]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-10 20:25 15969280 C:\WINDOWS\RTHDCPL.exe]
"IviRCService"="C:\Program Files\BenQ\Common\Bin\iviRCService.exe" [2006-03-12 00:39 73728]
"IMCServerAutoStart"="C:\Program Files\BenQ\IMCSvr\IMCSvr.exe" [2006-02-22 22:48 802816]
"Q-HotkeyMgr"="C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe" [2006-01-27 10:26 155648]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 11:47 569413]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-28 19:58 761945]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 07:48 479232]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 04:17 55824 C:\WINDOWS\KHALMNPR.Exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"DT LGE"="C:\Program Files\Portrait Displays\forteManager\DTHtml.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-14 21:40 185896]
"BrStsWnd"="C:\Program Files\Brownie\BrstsWnd.exe" [2008-01-08 09:28 864256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-09-06 10:39:18 1528880]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-01-11 02:07:29 789008]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Rebecca\Desktop\Tomo Bear\edit.JPG
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-01-09 14:30 72208 c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WordWeb.lnk]
backup=C:\WINDOWS\pss\WordWeb.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rebecca^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-08-13 08:43 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a--c--- 2005-12-11 00:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Q-MediaBar]
--a--c--- 2005-11-29 03:20 282713 C:\Program Files\BenQ\Q-MediaBar\QBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QMusic2]
--a--c--- 2005-03-08 09:40 151552 C:\Program Files\BenQ\QMusic2\QMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPower]
--a--c--- 2006-01-27 11:07 155648 C:\Program Files\BenQ\QPower\QPower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPresentation]
--a--c--- 2006-02-14 11:45 65613 C:\Program Files\BenQ\QPresentation\QPresentation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-14 21:40 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\BenQ\\QMedia Center\\QMC.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\AC3Filter\\ac3config.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\BenQ\\IMCSvr\\IMCSvr.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\SIERRA\\Lords2\\LORDS2.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50604:TCP"= 50604:TCP:Azureus
"6668:TCP"= 6668:TCP:Heroes of Might and Magic V
"44000:UDP"= 44000:UDP:Heroes of Might and Magic V
"45000:UDP"= 45000:UDP:Heroes of Might and Magic V
"42500:UDP"= 42500:UDP:Heroes of Might and Magic V
"8888:UDP"= 8888:UDP:Heroes of Might and Magic V
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 14:32]
R2 MTC0301_CIR;CIR Device;C:\WINDOWS\system32\drivers\CIR.sys [2004-11-27 00:41]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys []
S3 aver7700;AVerMedia aver7700 DVB-T;C:\WINDOWS\system32\Drivers\aver7700.sys [2006-02-21 07:12]
S3 QBIOSHw.dll;QBIOSHw.dll;C:\Program Files\BenQ\Q-HotkeyMgr\QBIOSHw.dll [2006-01-24 14:25]
S3 QDtvHw.dll;QDtvHw.dll;C:\Program Files\BenQ\QMedia Center\QDtvHw.dll [2006-02-06 17:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5feb318-171a-11dd-9848-0013024cc076}]
\Shell\AutoRun\command - H:\PMB_P.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 01:26:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-05-11 1:34:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-10 15:34:47
ComboFix2.txt 2008-05-09 23:51:39

Pre-Run: 4,399,067,136 bytes free
Post-Run: 4,416,446,464 bytes free

260 --- E O F --- 2008-04-09 17:04:04


MalwareBytes' Antimalware log
Malwarebytes' Anti-Malware 1.12
Database version: 738

Scan type: Quick Scan
Objects scanned: 35156
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kaspersky log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-11 10:26
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/05/2008
Kaspersky Anti-Virus database records: 754081
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 102789
Number of viruses found: 6
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 02:00:56

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080509165649\backup\DOCUME~1\Rebecca\LOCALS~1\Temp\NERO14768\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Microsoft\Templates\Normal.dotm Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Microsoft\Word\AutoRecovery save of Crim #0 - Policy.asd Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\cert8.db Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\history.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\key3.db Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\parent.lock Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\alert1024.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\call256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chat1024.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chat256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chat512.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatmsg16384.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\chatsync\43\43c08617756e9c3e.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\index2.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\profile4096.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\sms1024.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\sms256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\sms512.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\user1024.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\user16384.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\user256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Application Data\Skype\becca_hoo\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Rebecca\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Desktop\Crim A\Crim #0 - Policy.doc Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_E50_4F93_504F_8087\dfsr.db Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_E50_4F93_504F_8087\fsr.log Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_E50_4F93_504F_8087\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_E50_4F93_504F_8087\tmp.edb Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Application Data\Mozilla\Firefox\Profiles\tjm9x4lm.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\History\History.IE5\MSHist012008051120080512\index.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\temp\~DF1532.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\temp\~DF153F.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\temp\~DF387B.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\temp\~DF3899.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\temp\~DF3F07.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\temp\~DFD2B7.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Temporary Internet Files\Content.Word\~WRS{49699FAA-9084-4FF9-8819-8D7E85F6FA43}.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Temporary Internet Files\Content.Word\~WRS{8A299B14-9CD5-4F46-9B26-900D999D08B0}.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\Local Settings\Temporary Internet Files\Content.Word\~WRS{BFD3FC8D-211C-4FEB-BF13-6E91B056F273}.tmp Object is locked skipped
C:\Documents and Settings\Rebecca\My Documents\My Chat Logs\May 2008\[email protected] Object is locked skipped
C:\Documents and Settings\Rebecca\My Documents\My Chat Logs\May 2008\[email protected] Object is locked skipped
C:\Documents and Settings\Rebecca\ntuser.dat Object is locked skipped
C:\Documents and Settings\Rebecca\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080509-223158-702.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080509-224243-610.dll Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awtqqqrO.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geBQiGWQ.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGyawWN.dll.vir Infected: Trojan.Win32.Monder.dg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jrnhortr.dll.vir Infected: Trojan.Win32.Monder.de skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qjwmimnn.dll.vir Infected: Trojan.Win32.Monder.df skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tstjvxwd.dll.vir Infected: Trojan.Win32.Monder.de skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP578\A0211954.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP590\A0214595.dll Infected: Trojan.Win32.Monder.dg skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214613.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214615.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214616.dll Infected: Trojan.Win32.Monder.dg skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214617.dll Infected: Trojan.Win32.Monder.de skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214618.dll Infected: Trojan.Win32.Monder.df skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214620.dll Infected: Trojan.Win32.Monder.de skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214663.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214663.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214664.exe/data0000.cab/is202320.exe Infected: Backdoor.Win32.VanBot.oe skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214664.exe/data0000.cab Infected: Backdoor.Win32.VanBot.oe skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP591\A0214664.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP595\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{ABE723B7-14AA-41FC-8010-A3B3D0D400E2}\RP595\change.log Object is locked skipped

Scan process completed.


A new Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33, on 2008-05-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\CIR.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BenQ\Common\Bin\iviRCService.exe
C:\Program Files\BenQ\IMCSvr\IMCSvr.exe
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.monash.edu.au/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CIR] C:\WINDOWS\system32\drivers\CIR.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IviRCService] "C:\Program Files\BenQ\Common\Bin\iviRCService.exe"
O4 - HKLM\..\Run: [IMCServerAutoStart] "C:\Program Files\BenQ\IMCSvr\IMCSvr.exe"
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zon...mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Rebecca\Desktop\Tomo Bear\IMG_1614.JPG
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Rebecca\Desktop\Tomo Bear\edit.JPG

--
End of file - 9833 bytes








:) why is my computer still infected?
  • 0

#18
Mike
Posted 11 May 2008 - 09:08 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there becca hoo,

Do you know where these to entries come from?

O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Rebecca\Desktop\Tomo Bear\IMG_1614.JPG
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Rebecca\Desktop\Tomo Bear\edit.JPG

If not, fix them with Hijack This and delete this folder: C:\Documents and Settings\Rebecca\Desktop\Tomo Bear

Other than that, your logs look good, The items that Kaspersky found are only in quarantines or in System Restore and are not active. They will be removed anyways.

Are you still experiencing any problems? Tell me and we will get on to removing the leftovers if you are not.
  • 0

#19
becca_hoo
Posted 11 May 2008 - 03:57 PM

becca_hoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Im not experiencing any problems and the Tomo Bear folder is not malicious :)


hooray! moving on...
  • 0

#20
Mike
Posted 12 May 2008 - 08:38 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi becca hoo,

Only a few steps left before you get rid of me :)

Please make sure that this folder is deleted: C:\Program Files\Trend Micro\HijackThis\backups

You may keep MalwareBytes' Anti-Malware if you wish as an on demand scanner, if not you can uninstall it and delete this folder C:\Program Files\MalwareBytes' Anti-Malware

Step 1. Removing ComboFix

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

Step 2. Configuring Automatic Updates

Click the Automatic Updates tab. Choose the update option that best suits your needs, but be sure that Automatic Updates is not turned off. Windows XP will now notify you and download important updates and security patches as they become available.
Click "OK" to save your new settings and close the System Properties dialogue.

Step 3. Preventing future infection

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.spywarewa...uc/resource.htm

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

Also make sure to run your antivirus software regularly, and to keep it up-to-date.

There are many programs that can be used for your protection, most falling within the three main categories of anti-virus, anti-spyware and firewall. Please be careful to never run more than one program of the same category in resident mode, as conflicts between the different programs can actually decrease your protection.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :)
  • 0

#21
becca_hoo
Posted 12 May 2008 - 09:42 AM

becca_hoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Mike!

I have a couple of questions before you go!

1) should i remove Hijack this from my computer?
2) should i remove dss.exe from my computer?
3) should i remove OTMoveIt2 from my computer?
4) should i remove ATF-Cleaner from my computer?
5) if yes to any of the above, how do i remove it?
6) I've removed Avast and Sophos from my computer but have been using Avast for the past 2 years and I still like it. Would you suggest me to continue using avast or to switch to SpywareBlaster? Can i keep MalwareBytes' Anti-Malware while having Avast / SpywareBlaster/IE-SPYAD? what combinations should i go with?
7) my computer clock is still in a weird display - it displays 2008-05-13 when it should say 13th May 2008. It also displays my time in the 24 hour setting vs. using AM PM. How do i fix this?
8) some of the applications in my processor list look odd to me as i dont know where they are coming from, could you have a look at the list below and tell me if any of the running applications are malicious?
http://img225.images...kmanagertg2.jpg

Posted Image

Guess it's me who will be out of your hair soon! lol thanks for helping me out Mike -- I hope to hear from you soon :)

Edited by becca_hoo, 12 May 2008 - 10:04 AM.

  • 0

#22
Mike
Posted 12 May 2008 - 11:51 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there becca hoo,

Let's get you sorted out.


1) should i remove Hijack this from my computer?
2) should i remove dss.exe from my computer?
3) should i remove OTMoveIt2 from my computer?
4) should i remove ATF-Cleaner from my computer?
5) if yes to any of the above, how do i remove it?


The programs you have listed there are not harmful and I would recommend you keep ATF as it is a very good program that will clean out your temporary files for you (just remember to run it :))

If you want these removed please do the following:

Please open OTMoveIt2:
  • Double click OTMoveIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

This will remove Deckards' System Scanner(DSS) and OTMoveIt2.

If you want to remove Hijack This, Go to Start > Add or Remove Programs and uninstall:

Trend Micro Hijack This v.2.0.2

Then go delete this folder C:\Program Files\Trend Micro\Hijack This

And that's it!

Now on to your next questions:

6) I've removed Avast and Sophos from my computer but have been using Avast for the past 2 years and I still like it. Would you suggest me to continue using avast or to switch to SpywareBlaster? Can i keep MalwareBytes' Anti-Malware while having Avast / SpywareBlaster/IE-SPYAD? what combinations should i go with?


Removing both Avast! and Sophos was not a great idea, you do need an AntiVirus program running.These programs are necessary in keeping your computer free of malware, without it you are very likely to get re-infected within a very short period of time. Take a look at the below programs and make a choice as to which one you want to run.
Note: Make sure to only install ONE program, as having more can cause confliction between these programs, which in turn lowers your protection and slows down your computer.
You could also Re-Install Avast!, but I feel both of the above programs out-perform it. It is entirly up to you as to which program you want to run.

SpywareBlaster is NOT an Anti-Virus, take a look at the tutorial here

You may keep MalwareBytes' Anti-Malware, it is not actively running on your computer and will do you no harm. The combonation you listed "Avast / SpywareBlaster/IE-SPYAD" is fine.

All you have to keep in mind is that, you should be running only ONE Antivirus and only ONE Firewall. You can have as many Passive Protectors you want (Programs like SpywareBlaster and IE-SPYAD that are not actively running on your computer) but should only run one program with realtime monitoring (firstly because more than one is not needed, and secondly because it slows down your PC)

7) my computer clock is still in a weird display - it displays 2008-05-13 when it should say 13th May 2008. It also displays my time in the 24 hour setting vs. using AM PM. How do i fix this?


This is caused by ComboFix, although it should have been reset when uninstalling it. We can fix it nonetheless. To do so please right click over the time. A menu will appear, select "Adjust Date/Time", then simply choose the format you wish to change it to and press OK

8) some of the applications in my processor list look odd to me as i dont know where they are coming from, could you have a look at the list below and tell me if any of the running applications are malicious?


They are all OK. They definetly do look funky, but thats just how they were named, I do not see any baddies on that list, and if there was one it would have popped up in at least one of the logs I had you give me, so don't be alarmed!

I hope this answers all your questions, if you have anymore feel free to post them, otherwise give me a shout that everything's OK :)
  • 0

#23
becca_hoo
Posted 13 May 2008 - 08:23 AM

becca_hoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hi mikey! it's 12:11am my time but im glad to tell you that i think we're finally done! :)

to change the clock settings i had to go into control panel > regional and language > edit by choosing my location

thanks for helping me out! i took your advice and quickly downloaded avast again. i guess i trust it since it was the one who found out i had a trojan to begin with.

things i'll be doing:
i'm going to run another Kaspersky log tonight.
consider downloading either : SpywareBlaster/IE-SPYAD
run ATF one last time :)

so currently, im using a windows firewall + avast and i'll keep ATF to scan my computer
i hope i'll be safe from now on!


i feel like you just gave me a whole bunch of condoms and told me to be wise as to the choices i make... LOL... thank you mikey!

Here's me giving you a shout that everything's OK because i highly doubt my results from the scans will be ugly.



To all the random people out there who have had the same problem as I did, I just want to say that Mike's someone you can trust and depend on to stick with you till your [bleep]'s clean! He's a youngin' who is absolutely awesome, matured, and talented! He's gifted and has a lot more to offer!


Dont forget your talents Mike! Many thanks! I am very grateful!
  • 0

#24
ScHwErV
Posted 13 May 2008 - 10:41 AM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP