Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help me - Virtumonde [RESOLVED]

Started by Senatora , May 17 2008 12:00 PM

  • This topic is locked This topic is locked

#1
Senatora
Posted 17 May 2008 - 12:00 PM

Senatora

    New Member

  • Member
  • Pip
  • 4 posts
Hello,
I have one or more malware on my computer. Spybot S&D said that it's virtumonde, but can't fix it. So I used VundoFix.exe and VirtumundoBeGone.exe to remove it, but there is still some infection, please help me.
Here is HJT log (this is batko.exe):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:56, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AppServ\Apache2.2\bin\httpd.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\AppServ\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Install\AntiMalware\batko.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kaiowas.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaiowas.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {091C54FD-9AA0-4922-B2F6-F5E13B569C79} - C:\WINDOWS\system32\fccdeBSI.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {917F5C16-FD15-488F-B1B4-99DD5F158390} - (no file)
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - (no file)
O2 - BHO: (no name) - {B6BCDC57-1E60-4B0C-BBF6-CE413E4279DD} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BM8b632314] Rundll32.exe "C:\WINDOWS\system32\qdjqxhab.dll",s
O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1292428093-573735546-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191689892265
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0BAF74F-BD3F-4964-8269-DC1A50124CAD}: NameServer = 84.54.136.129
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: opnlJcaY - C:\WINDOWS\
O23 - Service: Apache2.2 - Apache Software Foundation - D:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: MySQL - Unknown owner - D:\MySQL\MySQL.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 8311 bytes



and log from VirtumundoBeGone.exe (VBG.TXT):


[05/17/2008, 20:43:18] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Senator\Desktop\VirtumundoBeGone.exe" )
[05/17/2008, 20:43:22] - Detected System Information:
[05/17/2008, 20:43:22] - Windows Version: 5.1.2600, Service Pack 2
[05/17/2008, 20:43:22] - Current Username: Senator (Admin)
[05/17/2008, 20:43:22] - Windows is in SAFE mode with Networking.
[05/17/2008, 20:43:22] - Searching for Browser Helper Objects:
[05/17/2008, 20:43:22] - BHO 1: {0000CC75-ACF3-4cac-A0A9-DD3868E06852} (DAPHelper Class)
[05/17/2008, 20:43:22] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/17/2008, 20:43:22] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:43:22] - BHO 4: {B3102264-D09D-4322-B625-503FBF18DD7E} ()
[05/17/2008, 20:43:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:43:22] - Checking for HKLM\...\Winlogon\Notify\opnlJcaY
[05/17/2008, 20:43:22] - Found: HKLM\...\Winlogon\Notify\opnlJcaY - This is probably Virtumundo.
[05/17/2008, 20:43:22] - Assigning {B3102264-D09D-4322-B625-503FBF18DD7E} MSEvents Object
[05/17/2008, 20:43:22] - BHO list has been changed! Starting over...
[05/17/2008, 20:43:22] - BHO 1: {0000CC75-ACF3-4cac-A0A9-DD3868E06852} (DAPHelper Class)
[05/17/2008, 20:43:22] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/17/2008, 20:43:22] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:43:22] - BHO 4: {B3102264-D09D-4322-B625-503FBF18DD7E} (MSEvents Object)
[05/17/2008, 20:43:22] - ALERT: Found MSEvents Object!
[05/17/2008, 20:43:22] - BHO 5: {B6BCDC57-1E60-4B0C-BBF6-CE413E4279DD} ()
[05/17/2008, 20:43:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:43:22] - No filename found. Continuing.
[05/17/2008, 20:43:22] - BHO 6: {F5F76B80-9542-4591-B4D2-7E09A6029E90} ()
[05/17/2008, 20:43:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:43:22] - Checking for HKLM\...\Winlogon\Notify\fccdeBSI
[05/17/2008, 20:43:22] - Key not found: HKLM\...\Winlogon\Notify\fccdeBSI, continuing.
[05/17/2008, 20:43:22] - Finished Searching Browser Helper Objects
[05/17/2008, 20:43:22] - *** Detected MSEvents Object
[05/17/2008, 20:43:22] - Trying to remove MSEvents Object...
[05/17/2008, 20:43:23] - Terminating Process: IEXPLORE.EXE
[05/17/2008, 20:43:23] - Terminating Process: RUNDLL32.EXE
[05/17/2008, 20:43:23] - Disabling Automatic Shell Restart
[05/17/2008, 20:43:23] - Terminating Process: EXPLORER.EXE
[05/17/2008, 20:43:23] - Suspending the NT Session Manager System Service
[05/17/2008, 20:43:23] - Terminating Windows NT Logon/Logoff Manager
[05/17/2008, 20:48:52] - Re-enabling Automatic Shell Restart
[05/17/2008, 20:48:52] - File to disable: C:\WINDOWS\system32\opnlJcaY.dll
[05/17/2008, 20:48:52] - Renaming C:\WINDOWS\system32\opnlJcaY.dll -> C:\WINDOWS\system32\opnlJcaY.dll.vir
[05/17/2008, 20:48:52] - File successfully renamed!
[05/17/2008, 20:48:52] - Removing HKLM\...\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}
[05/17/2008, 20:48:52] - Removing HKCR\CLSID\{B3102264-D09D-4322-B625-503FBF18DD7E}
[05/17/2008, 20:48:52] - Adding Kill Bit for ActiveX for GUID: {B3102264-D09D-4322-B625-503FBF18DD7E}
[05/17/2008, 20:48:52] - Deleting ATLEvents/MSEvents Registry entries
[05/17/2008, 20:48:52] - Removing HKLM\...\Winlogon\Notify\opnlJcaY
[05/17/2008, 20:48:52] - Searching for Browser Helper Objects:
[05/17/2008, 20:48:52] - BHO 1: {0000CC75-ACF3-4cac-A0A9-DD3868E06852} (DAPHelper Class)
[05/17/2008, 20:48:52] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/17/2008, 20:48:52] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:48:52] - BHO 4: {B6BCDC57-1E60-4B0C-BBF6-CE413E4279DD} ()
[05/17/2008, 20:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:48:52] - No filename found. Continuing.
[05/17/2008, 20:48:52] - BHO 5: {F5F76B80-9542-4591-B4D2-7E09A6029E90} ()
[05/17/2008, 20:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:48:52] - Checking for HKLM\...\Winlogon\Notify\fccdeBSI
[05/17/2008, 20:48:52] - Key not found: HKLM\...\Winlogon\Notify\fccdeBSI, continuing.
[05/17/2008, 20:48:52] - Finished Searching Browser Helper Objects
[05/17/2008, 20:48:52] - Finishing up...
[05/17/2008, 20:48:52] - A restart is needed.
[05/17/2008, 20:49:04] - Attempting to Restart via STOP error (Blue Screen!)
  • 0

Advertisements

#2
greyknight17
Posted 17 May 2008 - 02:15 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kaiowas.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaiowas.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {091C54FD-9AA0-4922-B2F6-F5E13B569C79} - C:\WINDOWS\system32\fccdeBSI.dll
O2 - BHO: (no name) - {917F5C16-FD15-488F-B1B4-99DD5F158390} - (no file)
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - (no file)
O2 - BHO: (no name) - {B6BCDC57-1E60-4B0C-BBF6-CE413E4279DD} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [BM8b632314] Rundll32.exe "C:\WINDOWS\system32\qdjqxhab.dll",s
O20 - Winlogon Notify: opnlJcaY - C:\WINDOWS\
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\fccdeBSI.dll
C:\WINDOWS\system32\qdjqxhab.dll
C:\WINDOWS\system32\sfrem01.exe

Don't worry if you have problems deleting any of the above files. We will remove them in the next round.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Senatora
Posted 20 May 2008 - 06:41 AM

Senatora

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,
KAIOWAS is legitimate program, which I use.
Here are new logs (if there are items from previous log that I should remove, that means HJT can't fix them):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:43:27, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AppServ\Apache2.2\bin\httpd.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\AppServ\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Install\AntiMalware\batko.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaiowas.biz
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191689892265
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0BAF74F-BD3F-4964-8269-DC1A50124CAD}: NameServer = 84.54.136.129
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2.2 - Apache Software Foundation - D:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: MySQL - Unknown owner - D:\MySQL\MySQL.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Unknown owner - C:\WINDOWS\system32\sfrem01.exe (file missing)
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7497 bytes


ComboFix 08-05-19.4 - Senator 2008-05-20 15:29:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.1561 [GMT 3:00]
Running from: C:\Documents and Settings\Senator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cLkllkkj.ini
C:\WINDOWS\system32\cLkllkkj.ini2
C:\WINDOWS\system32\ddcDvtro.dll
C:\WINDOWS\system32\fdqjgfpc.ini
C:\WINDOWS\system32\fqaehiak.ini
C:\WINDOWS\system32\ISBedccf.ini
C:\WINDOWS\system32\ISBedccf.ini2
C:\WINDOWS\system32\lvptnthu.ini
C:\WINDOWS\system32\pqxsievt.ini
C:\WINDOWS\system32\ssqNEurS.dll
C:\WINDOWS\system32\stcdnucy.ini
C:\WINDOWS\system32\xmeispxa.ini
C:\WINDOWS\taskmgr.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-18 00:40 . 2008-05-18 00:40 <DIR> d-------- C:\Program Files\VB6 Runtime Files for IDAutomation.com Applications
2008-05-17 20:23 . 2008-05-17 20:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-14 00:09 . 2008-01-07 22:59 912 --a------ C:\WINDOWS\my.ini.old
2008-05-13 23:01 . 2008-05-13 23:01 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-13 23:01 . 2008-05-13 23:01 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-13 23:01 . 2008-05-13 23:01 <DIR> d-------- C:\Program Files\MSBuild
2008-05-13 23:01 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-13 22:57 . 2008-05-13 22:57 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-13 22:45 . 2008-05-18 21:57 <DIR> d-------- C:\New Folder
2008-05-12 21:29 . 2008-01-07 22:59 912 --a------ C:\WINDOWS\my.ini
2008-05-12 17:00 . 2008-05-17 19:18 109,816 --a------ C:\WINDOWS\BM8b632314.xml
2008-05-11 15:36 . 2008-05-11 15:36 43,520 --a------ C:\WINDOWS\system32\opnlJcaY.dll.vir
2008-05-05 23:42 . 2008-05-05 23:42 201 --a------ C:\Documents and Settings\Senator\CommandLists.ini
2008-04-22 05:11 . 2008-04-22 05:11 <DIR> d-------- C:\Documents and Settings\Senator\Application Data\ICQ Toolbar
2008-04-22 04:14 . 2008-04-27 02:20 <DIR> d-------- C:\Program Files\ICQ6
2008-04-22 04:14 . 2008-04-22 04:25 <DIR> d-------- C:\Documents and Settings\Senator\Application Data\ICQ
2008-04-22 01:09 . 2008-01-07 14:29 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 11:35 --------- d-----w C:\Program Files\SQLyog Community
2008-05-19 22:49 --------- d-----w C:\Documents and Settings\Senator\Application Data\Skype
2008-05-19 19:03 --------- d-----w C:\Documents and Settings\Senator\Application Data\skypePM
2008-05-18 18:45 --------- d-----w C:\Program Files\Cain
2008-05-17 17:07 --------- d-----w C:\Program Files\Unlocker
2008-05-13 22:41 --------- d-----w C:\Documents and Settings\Senator\Application Data\MySQL
2008-04-27 18:53 --------- d-----w C:\Program Files\DC++
2008-04-26 23:20 --------- d-----w C:\Program Files\ICQ
2008-04-22 01:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 01:24 --------- d-----w C:\Program Files\ICQLite
2008-04-20 17:08 --------- d-----w C:\Program Files\ESET
2008-04-15 16:43 --------- d-----w C:\Program Files\ooVoo
2008-04-15 16:43 --------- d-----w C:\Documents and Settings\Senator\Application Data\ooVoo Details
2008-04-11 16:07 --------- d-----w C:\Documents and Settings\Senator\Application Data\PlayFirst
2008-04-10 20:48 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
2008-04-10 01:53 --------- d-----w C:\Documents and Settings\Senator\Application Data\Metacafe
2008-04-10 01:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Metacafe
2008-03-29 00:50 --------- d-----w C:\Program Files\ReflexiveArcade
2008-03-29 00:14 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Trymedia
2008-03-28 17:39 --------- d-----w C:\Documents and Settings\Senator\Application Data\Command & Conquer 3 Kane's Wrath
2008-02-18 15:51 22,328 ----a-w C:\Documents and Settings\Senator\Application Data\PnkBstrK.sys
2008-01-10 18:36 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2005-11-13 12:26 2,227,519 ----a-w C:\Documents and Settings\Senator\Application Data\Install.dat
2005-08-30 09:47 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
2005-11-08 03:47 0 --sha-w C:\WINDOWS\Win.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 12:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 01:00 128920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06 7311360]
"nwiz"="nwiz.exe" [2005-12-10 04:06 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 04:06 86016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 17:18 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-14 17:18 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 10:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-13 16:48 1443072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCInstallQueue"="netman.dll" [2005-08-22 21:29 197632 C:\WINDOWS\system32\netman.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:56 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.XVID"= xvid.dll
"VIDC.DIV3"= DivXc32.dll
"VIDC.DIV4"= DivXc32f.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Senator^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Senator\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Senator^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\Senator\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Senator^Start Menu^Programs^Startup^Registration .LNK]
path=C:\Documents and Settings\Senator\Start Menu\Programs\Startup\Registration .LNK
backup=C:\WINDOWS\pss\Registration .LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!xSpeed]
C:\!xSpeednet\!xSpeednet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 10:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2006-04-10 19:55 1257472 C:\PROGRA~1\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-StopW]
C:\Program Files\FSI\F-Prot\F-StopW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2007-12-19 17:48 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\klop]
C:\WINDOWS\1A.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-07-14 22:35 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PayTime]
C:\WINDOWS\system32\paytime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Resume copy]
--a------ 2002-03-24 14:54 46080 C:\WINDOWS\COPYFSTQ.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 18:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 21:41 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ExpIore]
C:\WINDOWS\system32\expIorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Games\\World of Warcraft\\World of Warcraft\\WoW_Launcher.exe"=
"D:\\Games\\World of Warcraft\\World of Warcraft\\game.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"D:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"D:\\Games\\World of Warcraft\\World of Warcraft\\lacd_client.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"H:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 Apache2.2;Apache2.2;"D:\AppServ\Apache2.2\bin\httpd.exe" -k runservice []
R2 litsgt;litsgt;C:\WINDOWS\system32\DRIVERS\litsgt.sys [2008-02-16 23:33]
R2 tansgt;tansgt;C:\WINDOWS\system32\DRIVERS\tansgt.sys [2008-02-16 23:33]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 23:22]
S3 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 15:54]
S3 STV673;STV0673 Camera;C:\WINDOWS\system32\drivers\STV673.sys [2000-09-13 18:23]
S4 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a6b3227-5427-11da-b32e-000feaef0bf4}]
\Shell\AutoRun\command - F:\Autorun\UbiAutorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6faf660-1112-11dc-99dd-0011671283a0}]
\Shell\AutoRun\command - N:\PStart.exe
\Shell\pstart\command - N:\PStart.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 15:34:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"D:\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"D:\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-20 15:37:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 12:37:29

Pre-Run: 1,125,347,328 bytes free
Post-Run: 1,644,589,056 bytes free

236
  • 0

#4
greyknight17
Posted 20 May 2008 - 08:00 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is that a illegal copy of NOD32 Antivirus? I recommend uninstalling it if that's the case. I recommend not using file sharing programs like BitTorrent as they can contribute to malware infections.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

DirLook::
C:\New Folder
C:\Program Files\Common Files\Microsoft Shared\Web Folders\
File::
C:\WINDOWS\my.ini.old
C:\WINDOWS\my.ini
C:\WINDOWS\BM8b632314.xml
C:\WINDOWS\system32\opnlJcaY.dll.vir
C:\Documents and Settings\Senator\CommandLists.ini
C:\WINDOWS\nod32fixtemdono.reg
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\system32\expIorer.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\1A.tmp
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\klop]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PayTime]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ExpIore]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

I want you to upload this file (C:\WINDOWS\Win.com) to http://virusscan.jotti.org and report back what it found.
  • 0

#5
Senatora
Posted 21 May 2008 - 07:05 AM

Senatora

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I want you to upload this file (C:\WINDOWS\Win.com) to http://virusscan.jotti.org and report back what it found.

C:\Windows\System32\Win.com
All antivirus: Found nothing

The file C:\Windows\win.com is 0 bytes long, it can't be submited to http://virusscan.jotti.org/








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02:58, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AppServ\Apache2.2\bin\httpd.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\AppServ\Apache2.2\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Install\AntiMalware\batko.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaiowas.biz
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191689892265
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0BAF74F-BD3F-4964-8269-DC1A50124CAD}: NameServer = 84.54.136.129
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2.2 - Apache Software Foundation - D:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: MySQL - Unknown owner - D:\MySQL\MySQL.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Unknown owner - C:\WINDOWS\system32\sfrem01.exe (file missing)
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7578 bytes







ComboFix 08-05-20.5 - Senator 2008-05-21 15:48:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.1549 [GMT 3:00]
Running from: C:\Documents and Settings\Senator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Senator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Senator\CommandLists.ini
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\1A.tmp
C:\WINDOWS\BM8b632314.xml
C:\WINDOWS\my.ini
C:\WINDOWS\my.ini.old
C:\WINDOWS\nod32fixtemdono.reg
C:\WINDOWS\system32\expIorer.exe
C:\WINDOWS\system32\opnlJcaY.dll.vir
C:\WINDOWS\system32\paytime.exe
.
/wow section - STAGE 38
pv: No matching processes found
The syntax of the command is incorrect.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Senator\Application Data\Install.dat
C:\Documents and Settings\Senator\CommandLists.ini
C:\WINDOWS\BM8b632314.xml
C:\WINDOWS\my.ini
C:\WINDOWS\my.ini.old
C:\WINDOWS\nod32fixtemdono.reg
C:\WINDOWS\system32\opnlJcaY.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 16:34 . 2008-05-20 16:34 <DIR> d-------- C:\Program Files\%temp&
2008-05-18 00:40 . 2008-05-18 00:40 <DIR> d-------- C:\Program Files\VB6 Runtime Files for IDAutomation.com Applications
2008-05-17 20:23 . 2008-05-17 20:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-13 23:01 . 2008-05-13 23:01 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-13 23:01 . 2008-05-13 23:01 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-13 23:01 . 2008-05-13 23:01 <DIR> d-------- C:\Program Files\MSBuild
2008-05-13 23:01 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-13 22:57 . 2008-05-13 22:57 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-13 22:45 . 2008-05-18 21:57 <DIR> d-------- C:\New Folder
2008-04-22 05:11 . 2008-04-22 05:11 <DIR> d-------- C:\Documents and Settings\Senator\Application Data\ICQ Toolbar
2008-04-22 04:14 . 2008-04-27 02:20 <DIR> d-------- C:\Program Files\ICQ6
2008-04-22 04:14 . 2008-04-22 04:25 <DIR> d-------- C:\Documents and Settings\Senator\Application Data\ICQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 12:47 --------- d-----w C:\Documents and Settings\Senator\Application Data\Skype
2008-05-21 12:07 --------- d-----w C:\Documents and Settings\Senator\Application Data\skypePM
2008-05-21 10:18 --------- d-----w C:\Program Files\SQLyog Community
2008-05-18 18:45 --------- d-----w C:\Program Files\Cain
2008-05-17 17:07 --------- d-----w C:\Program Files\Unlocker
2008-05-13 22:41 --------- d-----w C:\Documents and Settings\Senator\Application Data\MySQL
2008-04-27 18:53 --------- d-----w C:\Program Files\DC++
2008-04-26 23:20 --------- d-----w C:\Program Files\ICQ
2008-04-22 01:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 01:24 --------- d-----w C:\Program Files\ICQLite
2008-04-20 17:08 --------- d-----w C:\Program Files\ESET
2008-04-15 16:43 --------- d-----w C:\Program Files\ooVoo
2008-04-15 16:43 --------- d-----w C:\Documents and Settings\Senator\Application Data\ooVoo Details
2008-04-15 16:29 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-11 16:07 --------- d-----w C:\Documents and Settings\Senator\Application Data\PlayFirst
2008-04-10 20:48 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
2008-04-10 01:53 --------- d-----w C:\Documents and Settings\Senator\Application Data\Metacafe
2008-04-10 01:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Metacafe
2008-03-29 00:50 --------- d-----w C:\Program Files\ReflexiveArcade
2008-03-29 00:14 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Trymedia
2008-03-28 17:39 --------- d-----w C:\Documents and Settings\Senator\Application Data\Command & Conquer 3 Kane's Wrath
2008-03-28 17:21 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-02-18 15:51 22,328 ----a-w C:\Documents and Settings\Senator\Application Data\PnkBstrK.sys
2008-01-10 18:36 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2005-08-30 09:47 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
2005-11-08 03:47 0 --sha-w C:\WINDOWS\Win.com
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\New Folder ----

2008-05-08 10:03 27019 --a------ C:\New Folder\ascent-world.conf
2008-05-05 05:34 24013 --a------ C:\New Folder\index.php
2008-05-04 01:45 2704 --a------ C:\New Folder\ascent-realms.conf
2008-05-03 19:25 3445 --a------ C:\New Folder\ascent-logonserver.conf
2008-04-17 17:13 102709 --a------ C:\New Folder\2.4.1_logon_db\logon.sql
2008-01-22 14:22 249856 --a------ C:\New Folder\Eset Login Viewer v1.2.exe

---- Directory of C:\Program Files\Common Files\Microsoft Shared\Web Folders\ ----

2005-09-29 11:23 80448 --a------ C:\Program Files\Common Files\Microsoft Shared\Web Folders\\PKMWS.DLL
2005-09-29 11:23 42568 --a------ C:\Program Files\Common Files\Microsoft Shared\Web Folders\\1033\NSEXTINT.DLL
2005-09-29 11:23 35896 --a------ C:\Program Files\Common Files\Microsoft Shared\Web Folders\\MSOSV.DLL
2005-09-29 11:23 1292872 --a------ C:\Program Files\Common Files\Microsoft Shared\Web Folders\\MSONSEXT.DLL
2005-09-29 11:23 10816 --a------ C:\Program Files\Common Files\Microsoft Shared\Web Folders\\1033\MSOSVINT.DLL
1999-06-06 03:09 122937 --a------ C:\Program Files\Common Files\Microsoft Shared\Web Folders\\MSOWS409.DLL
1999-04-08 03:25 7994 --ah----- C:\Program Files\Common Files\Microsoft Shared\Web Folders\\PUBPLACE.HTT
1999-03-18 05:37 593977 --a------ C:\Program Files\Common Files\Microsoft Shared\Web Folders\\RAGENT.DLL


((((((((((((((((((((((((((((( snapshot@2008-05-20_15.37.17.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 12:33:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 09:11:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 12:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 01:00 128920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06 7311360]
"nwiz"="nwiz.exe" [2005-12-10 04:06 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 04:06 86016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 17:18 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-14 17:18 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 10:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-13 16:48 1443072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCInstallQueue"="netman.dll" [2005-08-22 21:29 197632 C:\WINDOWS\system32\netman.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:56 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.XVID"= xvid.dll
"VIDC.DIV3"= DivXc32.dll
"VIDC.DIV4"= DivXc32f.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Senator^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Senator\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Senator^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\Senator\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Senator^Start Menu^Programs^Startup^Registration .LNK]
path=C:\Documents and Settings\Senator\Start Menu\Programs\Startup\Registration .LNK
backup=C:\WINDOWS\pss\Registration .LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!xSpeed]
C:\!xSpeednet\!xSpeednet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 10:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2006-04-10 19:55 1257472 C:\PROGRA~1\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-StopW]
C:\Program Files\FSI\F-Prot\F-StopW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2007-12-19 17:48 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-07-14 22:35 1961984 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Resume copy]
--a------ 2002-03-24 14:54 46080 C:\WINDOWS\COPYFSTQ.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 18:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 21:41 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Games\\World of Warcraft\\World of Warcraft\\WoW_Launcher.exe"=
"D:\\Games\\World of Warcraft\\World of Warcraft\\game.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"D:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"D:\\Games\\World of Warcraft\\World of Warcraft\\lacd_client.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"H:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 Apache2.2;Apache2.2;"D:\AppServ\Apache2.2\bin\httpd.exe" -k runservice []
R2 litsgt;litsgt;C:\WINDOWS\system32\DRIVERS\litsgt.sys [2008-02-16 23:33]
R2 tansgt;tansgt;C:\WINDOWS\system32\DRIVERS\tansgt.sys [2008-02-16 23:33]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 23:22]
S3 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 15:54]
S3 STV673;STV0673 Camera;C:\WINDOWS\system32\drivers\STV673.sys [2000-09-13 18:23]
S4 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a6b3227-5427-11da-b32e-000feaef0bf4}]
\Shell\AutoRun\command - F:\Autorun\UbiAutorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6faf660-1112-11dc-99dd-0011671283a0}]
\Shell\AutoRun\command - N:\PStart.exe
\Shell\pstart\command - N:\PStart.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 15:50:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"D:\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"D:\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-05-21 15:51:17
ComboFix-quarantined-files.txt 2008-05-21 12:51:00
ComboFix2.txt 2008-05-20 12:37:34

Pre-Run: 1,608,683,520 bytes free
Post-Run: 1,607,979,008 bytes free

241

Edited by Senatora, 21 May 2008 - 07:25 AM.

  • 0

#6
greyknight17
Posted 21 May 2008 - 07:09 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Program Files\%temp&
C:\WINDOWS\Win.com

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
Senatora
Posted 22 May 2008 - 02:16 PM

Senatora

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you very much!

< C:\Program Files\%temp& >
C:\Program Files\%temp& moved successfully.
C:\WINDOWS\Win.com moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05222008_231833
  • 0

#8
greyknight17
Posted 23 May 2008 - 05:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just to confirm, is everything running ok now? If so, I will close this topic :)
  • 0

#9
greyknight17
Posted 29 May 2008 - 10:14 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP