Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

taskbar VIRUS ALERT! [RESOLVED]


  • This topic is locked This topic is locked

#1
chou05

chou05

    Member

  • Member
  • PipPip
  • 24 posts
i have encountered a malware i am in need of assistance. i have attempted to resolve the problem through various google searches upon this malware. symptoms left on my machine are a VIRUS ALERT! word on my taskbar along with changing the time into military time. It has went to the extent of placing VIRUS ALERT! into system properties(sysdm.cpl) registered to: i have read through some posts within this knowledgable site regarding this malware, although everyones case was a little different?
i have downloaded combofix.exe as mentioned various times by you experts here, but have not done anything with it yet (waiting on your instructions.)

kaspersky scan has killed off many trojan programs that seem to have killed most of these fake virus warning popups that spawn up a site requesting me to purchase their program to kill this virus. although those popup sites are gone, i still recieve some random advertisement popups from my IE

your help and time would be much apprieciated

kind regards,
chou05

***

Logfile of HijackThis v1.99.1
Scan saved at 22:38: VIRUS ALERT!, on 31/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {27796771-8D05-4EE6-B478-43CE759F2106} - C:\WINDOWS\system32\cbXQkhhF.dll
O2 - BHO: (no name) - {5AAC7CF6-7E28-41D0-8431-EEA3A8A2A884} - C:\WINDOWS\system32\rqRJCVPi.dll
O2 - BHO: (no name) - {64E50CFE-B64C-4A91-8D0B-9552656DC06C} - C:\WINDOWS\system32\ddcdEWoo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [InfoMyCa.exe] C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [382ac0cd] rundll32.exe "C:\WINDOWS\system32\kcurhflh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1162
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EA41871-B967-4DD5-BBD0-67047428FE88}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cbXQkhhF - C:\WINDOWS\SYSTEM32\cbXQkhhF.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: U.S. Robotics 802.11g Wireless USB Adapter Service (U.S. Robotics 802.11g Wireless USB Adapter) - Unknown owner - C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe
  • 0

Advertisements


#2
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi chou05,

Welcome to Geeks to Go. :)

ComboFix is an extremely powerfull tool. Please follow my instructions exactly as I have them listed below.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
chou05

chou05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
thank you for the godspeed reply :) . i have done a trendmicro online scan of my computer last night, able to kill off few other trojans. here is my combofix log along with an updated hijackthis log

much apprieciated
chou05

***
combofix
***


ComboFix 08-05-29.1 - Owner 2008-06-01 11:54:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cbXQkhhF.dll
C:\WINDOWS\system32\dkmbyybs.ini
C:\WINDOWS\system32\hlfhruck.ini
C:\WINDOWS\system32\iPVCJRqr.ini
C:\WINDOWS\system32\iPVCJRqr.ini2
C:\WINDOWS\system32\kcurhflh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ooWEdcdd.ini
C:\WINDOWS\system32\ooWEdcdd.ini2
C:\WINDOWS\system32\ugwarpqn.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 00:28 . 2008-05-31 23:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 23:19 . 2008-06-01 11:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-31 21:50 . 2008-05-31 21:50 324,864 --a------ C:\WINDOWS\system32\rqRJCVPi.dll
2008-05-29 00:05 . 2008-05-31 17:01 198 --a------ C:\WINDOWS\wininit.ini
2008-05-27 23:26 . 2008-05-28 19:06 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 23:26 . 2008-05-31 21:36 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 23:23 . 2008-06-01 11:56 11,411,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 23:23 . 2008-06-01 11:44 153,548 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 23:23 . 2008-06-01 11:55 76,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 23:23 . 2008-06-01 11:44 7,988 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-27 23:10 . 2008-05-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\system32\im_screensaver dir
2008-05-11 16:36 . 2008-05-11 16:36 201,728 --a------ C:\WINDOWS\system32\im_screensaver.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 04:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:06 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 06:23 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-28 06:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 13:14 --------- d-----w C:\Program Files\Warcraft III
2008-05-25 11:51 --------- d-----w C:\Program Files\Starcraft
2008-05-12 07:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 03:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-13 22:46 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SET6C.tmp
2006-01-31 23:44 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AAC7CF6-7E28-41D0-8431-EEA3A8A2A884}]
2008-05-31 21:50 324864 --a------ C:\WINDOWS\system32\rqRJCVPi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E50CFE-B64C-4A91-8D0B-9552656DC06C}]
C:\WINDOWS\system32\ddcdEWoo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [ ]
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [2004-03-10 20:57 45056]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 00:55 7090176]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 18:06 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2006-01-25 11:54]
R2 U.S. Robotics 802.11g Wireless USB Adapter;U.S. Robotics 802.11g Wireless USB Adapter Service;C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe [2003-06-09 11:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bbf6df1-0b51-11da-bd5a-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03e4405-2402-11da-93f4-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 18:57:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 11:56:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 11:58:24
ComboFix-quarantined-files.txt 2008-06-01 18:57:34

Pre-Run: 55,715,823,616 bytes free
Post-Run: 55,701,311,488 bytes free

128 --- E O F --- 2008-05-17 05:58:52









***
hijackthis
***


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14, on 01/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLanCfgG.exe
C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [InfoMyCa.exe] C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1162
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EA41871-B967-4DD5-BBD0-67047428FE88}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: U.S. Robotics 802.11g Wireless USB Adapter Service (U.S. Robotics 802.11g Wireless USB Adapter) - Unknown owner - C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe

--
End of file - 6089 bytes
  • 0

#4
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi chou5,

I know that you mean well, but please do not run any scan or tools other than the ones that I instruct you to whilst we are cleaning your computer. The reason being that specific files or registry entries that I am looking for may be lost or deleted with those scans.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Logs to be posted in your next reply:

vundofix.txt
main.txt
extra.txt
  • 0

#5
chou05

chou05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Octagonal,
my bad, totally understand what you mean.
im surprised yet relieved that vundo didn't pick up anything.
ps. i used brown to distinquish the diff txt files (for my untrained eye)

VundoFix V7.0.5

Scan started at 8:36:44 PM 02/06/2008

Listing files found while scanning....

No infected files were found.





Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-02 21:00:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2008-06-03 04:01:00 UTC - RP601 - Deckard's System Scanner Restore Point
58: 2008-06-03 03:53:58 UTC - RP600 - System Checkpoint
57: 2008-06-01 19:04:10 UTC - RP599 - Last known good configuration
56: 2008-06-01 19:04:03 UTC - RP598 - ComboFix created restore point
55: 2008-06-01 19:04:03 UTC - RP597 - System Checkpoint


-- First Restore Point --
1: 2008-06-01 19:03:45 UTC - RP543 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01, on 02/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {64E50CFE-B64C-4A91-8D0B-9552656DC06C} - C:\WINDOWS\system32\ddcdEWoo.dll (file missing)
O2 - BHO: (no name) - {9E9E7B2A-C8F7-48B6-B557-FDDB21D6EEB8} - C:\WINDOWS\system32\rqRJCVPi.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [InfoMyCa.exe] C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1162
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EA41871-B967-4DD5-BBD0-67047428FE88}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: U.S. Robotics 802.11g Wireless USB Adapter Service (U.S. Robotics 802.11g Wireless USB Adapter) - Unknown owner - C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe

--
End of file - 6264 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser %1,%*
.pif - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SSI - c:\windows\system32\drivers\ssi.sys <Not Verified; Webroot Software (www.webroot.com); SpySweeper>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.0.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 npkcrypt - c:\program files\gravity\ro\npkcrypt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 U.S. Robotics 802.11g Wireless USB Adapter (U.S. Robotics 802.11g Wireless USB Adapter Service) - c:\program files\u.s.robotics wireless monitor\wlservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-02 20:58:00 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-02 20:19:21 0 d-------- C:\VundoFix Backups
2008-06-01 12:04:52 95232 --a------ C:\WINDOWS\system32\vafcvmwg.dll
2008-06-01 12:03:35 411511 --ahs---- C:\WINDOWS\system32\iPVCJRqr.ini2
2008-06-01 11:37:16 68096 --a------ C:\WINDOWS\zip.exe
2008-06-01 11:37:16 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-01 11:37:16 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-01 11:37:16 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-01 11:37:16 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-01 11:37:16 98816 --a------ C:\WINDOWS\sed.exe
2008-06-01 11:37:16 80412 --a------ C:\WINDOWS\grep.exe
2008-06-01 11:37:16 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-31 23:19:44 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-27 23:26:03 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 23:26:03 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 23:23:56 97312 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 23:23:56 11588896 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 23:10:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-11 16:36:23 201728 --a------ C:\WINDOWS\system32\im_screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-05-11 16:36:23 0 d-------- C:\WINDOWS\system32\im_screensaver dir


-- Find3M Report ---------------------------------------------------------------

2008-06-01 12:13:37 0 d-------- C:\Program Files\Trend Micro
2008-05-27 23:23:55 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-27 23:08:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 06:14:34 0 d-------- C:\Program Files\Warcraft III
2008-05-25 04:51:21 0 d-------- C:\Program Files\Starcraft
2008-05-19 20:26:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-04-14 20:49:13 0 d-------- C:\Program Files\Microsoft.NET
2008-04-13 15:58:26 2539 --a------ C:\WINDOWS\unins000.dat
2008-04-13 15:46:37 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E50CFE-B64C-4A91-8D0B-9552656DC06C}]
C:\WINDOWS\system32\ddcdEWoo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E9E7B2A-C8F7-48B6-B557-FDDB21D6EEB8}]
C:\WINDOWS\system32\rqRJCVPi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" []
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [10/03/2004 20:57]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [20/07/2005 00:55]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [18/11/2007 18:06]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [08/02/2008 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 12:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [13/11/2006 14:39]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 12:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRJCVPi

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bbf6df1-0b51-11da-bd5a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03e4405-2402-11da-93f4-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-06-02 21:03:37 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 1013.54 MiB / 617.99 MiB
Pagefile Memory (total/avail): 2914.95 MiB / 2682.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.19 MiB

C: is Fixed (NTFS) - 228.23 GiB total, 51.44 GiB free.
D: is Fixed (FAT32) - 4.64 GiB total, 2.41 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-22MHB0 - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 228.23 GiB - C:
\PARTITION1 - Unknown - 4.65 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Application Loader"
"C:\\Program Files\\Starcraft\\starcraft.exe"="C:\\Program Files\\Starcraft\\starcraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Warcraft III\\war3.exe"="C:\\Program Files\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BILL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\BILL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Autodesk Shared;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=BILL
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Gateway
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACE-HIGH MP3 WAV WMA OGG Converter --> C:\PROGRA~1\ACE-HI~1\UNWISE.EXE C:\PROGRA~1\ACE-HI~1\INSTALL.LOG
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AutoCAD 2006 - English --> MsiExec.exe /I{5783F2D7-4001-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Autodesk Revit Building 8 --> MsiExec.exe /X{D7475246-CCDE-469C-AF03-B681B6FBE91D}
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
Dream Of Mirror Online --> C:\AeriaGames\DOMO\Uninst.exe
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Haali Media Splitter --> "C:\Program Files\Matroska Pack\haali\uninstall.exe"
Hacker Evolution (1.00.0087) (remove only) --> "C:\Program Files\Hacker Evolution\uninstall.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iGuidance --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A77B88-7702-453F-8AA5-545CFD07A1DD}\Setup.exe" -l0x9
im_screensaver --> C:\WINDOWS\system32\im_screensaver.scr /u
Intel Audio Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D1B20A6-E31D-4BB5-BC5C-DDD3B0D91728}\setup.exe" -l0x9
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel® PRO Network Connections Drivers --> Prounstl.exe
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
LiveUpdate 2.5 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Matroska Pack --> C:\Program Files\Matroska Pack\uninstall.exe
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Picture It! Premium 10 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mobipocket Reader 6.1 --> MsiExec.exe /I{7078C6C2-F5A5-4A5F-86A8-CD1301CA07DF}
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nokia Multimedia Player --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4D6183C0-005C-4B1F-8261-4B0F71F1C4A5}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sniper for Pocket PC --> C:\PROGRA~1\SNIPER~1\SetupCE.exe /U
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
U.S. Robotics 802.11g USB Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CB428D1-EF83-420F-BF47-C03D2186522B}\setup.exe" -l0x9
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{97A96172-A963-4A37-9FFB-DA6805BB915A}\setup.exe -runfromtemp -l0x0409
VideoLAN VLC media player 0.8.4a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB890629 -->
Windows XP Media Center Edition 2005 KB890760 -->
Windows XP Media Center Edition 2005 KB895198 -->
Windows XP Media Center Edition 2005 KB895678 -->
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WinISO 5.3 --> "C:\Program Files\WinISO\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip Self-Extractor --> "C:\Program Files\WinZip Self-Extractor\wzipse32.exe" -uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type6352 / Success
Event Submitted/Written: 05/27/2008 07:21:50 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6345 / Success
Event Submitted/Written: 05/26/2008 02:15:09 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6330 / Success
Event Submitted/Written: 05/25/2008 01:19:19 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6310 / Success
Event Submitted/Written: 05/24/2008 04:23:59 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6302 / Success
Event Submitted/Written: 05/24/2008 00:28:05 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type46402 / Error
Event Submitted/Written: 06/01/2008 07:36:42 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} did not register with DCOM within the required timeout.

Event Record #/Type46401 / Error
Event Submitted/Written: 06/01/2008 07:26:27 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} did not register with DCOM within the required timeout.

Event Record #/Type46400 / Error
Event Submitted/Written: 06/01/2008 06:36:24 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} did not register with DCOM within the required timeout.

Event Record #/Type46399 / Error
Event Submitted/Written: 06/01/2008 06:26:45 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} did not register with DCOM within the required timeout.

Event Record #/Type46362 / Warning
Event Submitted/Written: 06/01/2008 11:28:13 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-06-02 21:03:37 ------------

  • 0

#6
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi chou5,

It is important that you follow these instructions exactly as I have listed. Failure to adhere to this could result in damage to your Registry Settings and the possibility of not being able to boot your computer or other unexpected events occurring.

You will need to print out a copy of these instructions and also save them to NotePad and put a shortcut to the file on the desktop so that you can refer to while you complete this procedure.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Check Download Accelerator Plus (DAP).
  • Click the Remove or Change/Remove button.
  • Reboot your computer once all Java components and Download Accelerator Plus (DAP) is removed.
  • Then from your desktop double-click on the download of jre-6u6-windows-i586-p.exe to install the newest version.
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\inf\SET6C.tmp
  • Click on the submit button
  • Please post the results in your next reply.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo...RT-t200116.html

Collect::
C:\WINDOWS\system32\vafcvmwg.dll


File::
C:\WINDOWS\system32\vafcvmwg.dll
C:\WINDOWS\system32\iPVCJRqr.ini2


Folder::
C:\Program Files\DAP


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AAC7CF6-7E28-41D0-8431-EEA3A8A2A884}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E50CFE-B64C-4A91-8D0B-9552656DC06C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E9E7B2A-C8F7-48B6-B557-FDDB21D6EEB8}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= -
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bbf6df1-0b51-11da-bd5a-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03e4405-2402-11da-93f4-806d6172696f}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Clean Traces]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Download with &DAP]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download &all with DAP]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{74CD40EA-EF77-4BAD-808A-B5982DA73F20}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXQkhhF]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wingsa32]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\DAP\\DAP.exe"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files from step 5 on your desktop.

It is important to backup the Registry before we make any changes so that we have a fresh copy in case of misfortune. Please click on Start then Run and copy the following code into the command line.

regedit /e C:\BackupReg1.reg

Click the OK button or press the Enter key. This will save a copy of the Registry to a file (C:\BackupReg1.reg) on your local hard drive.

Open Notepad, and copy the contents of the code box below into a new text file. Save it on your Desktop as FixReg1.reg. For the "save as type" choose all files.

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Locate FixReg1.reg on your Desktop and double-click on it.
  • You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
  • Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Post the following reports/logs into your next reply:
  • Jottis scan results
  • Combofix.txt
  • MBAM log.
  • A new HijackThis log (run after MBAM has finished its work.)
  • Let me know how your computer is now behaving.

Reason for edit: Fixed typo

Edited by Octagonal, 03 June 2008 - 07:34 AM.

  • 0

#7
chou05

chou05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
hi Octagonal,

i came into some problems at the:
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

it would ask if i want to run it and i do, after it finishes, it doesn't create the two files you mentioned, although it does end with the combofix.log (see below)

Jotti scan:

Scan taken on 05 Jun 2008 06:37:49 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


here is an update version of the combofix log in case this is of any use to understand why the two files you mentioned didn't spawn?

ComboFix 08-06-04.3 - Owner 2008-06-04 23:31:58.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.577 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\iPVCJRqr.ini2
C:\WINDOWS\system32\vafcvmwg.dll
.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 22:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 22:34 . 2008-06-04 22:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-02 21:00 . 2008-06-02 21:00 <DIR> d-------- C:\Deckard
2008-06-02 20:19 . 2008-06-02 20:19 <DIR> d-------- C:\VundoFix Backups
2008-06-01 00:28 . 2008-05-31 23:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 23:19 . 2008-06-01 11:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-29 00:05 . 2008-06-01 14:20 256 --a------ C:\WINDOWS\wininit.ini
2008-05-27 23:26 . 2008-05-28 19:06 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 23:26 . 2008-05-31 21:36 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 23:23 . 2008-06-04 23:33 11,913,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 23:23 . 2008-06-04 22:57 159,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 23:23 . 2008-06-04 23:33 127,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 23:23 . 2008-06-04 22:57 12,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-27 23:10 . 2008-05-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\system32\im_screensaver dir
2008-05-11 16:36 . 2008-05-11 16:36 201,728 --a------ C:\WINDOWS\system32\im_screensaver.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 05:35 --------- d-----w C:\Program Files\Java
2008-06-05 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 05:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 19:13 --------- d-----w C:\Program Files\Trend Micro
2008-05-29 04:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:06 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 06:23 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-28 06:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 13:14 --------- d-----w C:\Program Files\Warcraft III
2008-05-25 11:51 --------- d-----w C:\Program Files\Starcraft
2008-04-15 03:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-13 22:46 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SET6C.tmp
2006-01-31 23:44 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( [email protected]_11.56.30.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 18:45:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 05:58:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 05:35:45 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-05 05:31:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-29 05:35:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-05 05:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-29 05:35:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 05:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-03-04 16:06:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-03-04 16:07:06 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-03-04 17:36:48 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [ ]
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [2004-03-10 20:57 45056]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 00:55 7090176]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 18:06 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 12:00 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2006-01-25 11:54]
R2 U.S. Robotics 802.11g Wireless USB Adapter;U.S. Robotics 802.11g Wireless USB Adapter Service;C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe [2003-06-09 11:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 06:34:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 23:33:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 23:34:56
ComboFix-quarantined-files.txt 2008-06-05 06:34:40
ComboFix2.txt 2008-06-05 06:25:48
ComboFix3.txt 2008-06-05 06:15:39
ComboFix4.txt 2008-06-05 06:05:52
ComboFix5.txt 2008-06-01 18:58:25

Pre-Run: 54,947,004,416 bytes free
Post-Run: 54,933,184,512 bytes free

130 --- E O F --- 2008-05-17 05:58:52

  • 0

#8
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi chou5,

I don't know why those two files weren't generated. However, I notice that ComboFix was run several times, please only run any of the programs when I instruct you to. To enable me to see what ComboFix has or hasn't deleted I need to see the logs from the subsequent runs which I will ask for below.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please do an online scan with Kaspersky WebScanner

Please note: You must use Internet Explorer for this as it uses an ActiveX component.

This scan may take a while to complete, so please be patient and let it finish.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Select a target to scan; click on My Computer.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete choose the option to Save as Text.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the following:

It will probably be easier for both of us if you post the ComboFix logs below in seperate posts
    • C:\qoobox\ComboFix2.txt
    • C:\qoobox\ComboFix3.txt
    • C:\qoobox\ComboFix4.txt
    • C:\qoobox\ComboFix5.txt
  • MBAM log
  • A fresh HijackThis log
  • Let me know how your computer is behaving

  • 0

#9
chou05

chou05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
sry about the mult combo fix logs, i attempted to generate the 2 files you mentioned but had no luck. so i tried it again, in case i did somthing wrong.
i thought it was my kaspersky antivirus, so i disabled it.
i turned on my comp today first time since my attempt with combofix (and the generating of the two files) symptoms i encountered new:
my computer startup took really long to load up
internet exploror wouldn't open (i would load the browser but will instantly flash and close)
got a intel audio studio controller error messaging stating it doesn't support the board detected
some icons wont load (jpgs on my desktop)
cant drag and drop

i couldnt do what you mentioed above cause i couldn't load up internet now. im posting this with my pda

note i forgot to enable back my antivirus before shutting down last time i posted
  • 0

#10
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hello chou05,

Before we do anything further, I would like to see all those other Combofix logs I requsested in my last post to see exectly what ComboFix did. This is so I can determine whether what we did with ComboFix had anything to do with your current problem. Can you tranfer them to a flash drive and post them in this thread from another comuter?
  • 0

Advertisements


#11
chou05

chou05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ComboFix 08-06-04.3 - Owner 2008-06-04 23:22:43.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.613 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\iPVCJRqr.ini2
C:\WINDOWS\system32\vafcvmwg.dll
.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 22:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 22:34 . 2008-06-04 22:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-02 21:00 . 2008-06-02 21:00 <DIR> d-------- C:\Deckard
2008-06-02 20:19 . 2008-06-02 20:19 <DIR> d-------- C:\VundoFix Backups
2008-06-01 00:28 . 2008-05-31 23:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 23:19 . 2008-06-01 11:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-29 00:05 . 2008-06-01 14:20 256 --a------ C:\WINDOWS\wininit.ini
2008-05-27 23:26 . 2008-05-28 19:06 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 23:26 . 2008-05-31 21:36 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 23:23 . 2008-06-04 23:23 11,886,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 23:23 . 2008-06-04 22:57 159,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 23:23 . 2008-06-04 23:24 124,960 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 23:23 . 2008-06-04 22:57 12,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-27 23:10 . 2008-05-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\system32\im_screensaver dir
2008-05-11 16:36 . 2008-05-11 16:36 201,728 --a------ C:\WINDOWS\system32\im_screensaver.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 05:35 --------- d-----w C:\Program Files\Java
2008-06-05 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 05:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 19:13 --------- d-----w C:\Program Files\Trend Micro
2008-05-29 04:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:06 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 06:23 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-28 06:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 13:14 --------- d-----w C:\Program Files\Warcraft III
2008-05-25 11:51 --------- d-----w C:\Program Files\Starcraft
2008-04-15 03:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-13 22:46 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SET6C.tmp
2006-01-31 23:44 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( [email protected]_11.56.30.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 18:45:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 05:58:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 05:35:45 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-05 05:31:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-29 05:35:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-05 05:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-29 05:35:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 05:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-03-04 16:06:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-03-04 16:07:06 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-03-04 17:36:48 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [ ]
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [2004-03-10 20:57 45056]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 00:55 7090176]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 18:06 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 12:00 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2006-01-25 11:54]
R2 U.S. Robotics 802.11g Wireless USB Adapter;U.S. Robotics 802.11g Wireless USB Adapter Service;C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe [2003-06-09 11:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 06:24:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 23:24:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 23:25:46
ComboFix-quarantined-files.txt 2008-06-05 06:25:39
ComboFix2.txt 2008-06-05 06:15:39
ComboFix3.txt 2008-06-05 06:05:52
ComboFix4.txt 2008-06-01 18:58:25

Pre-Run: 54,974,640,128 bytes free
Post-Run: 54,961,188,864 bytes free

129 --- E O F --- 2008-05-17 05:58:52
  • 0

#12
chou05

chou05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ComboFix 08-05-29.1 - Owner 2008-06-04 23:12:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.611 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\iPVCJRqr.ini2
C:\WINDOWS\system32\vafcvmwg.dll
.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 22:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 22:34 . 2008-06-04 22:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-02 21:00 . 2008-06-02 21:00 <DIR> d-------- C:\Deckard
2008-06-02 20:19 . 2008-06-02 20:19 <DIR> d-------- C:\VundoFix Backups
2008-06-01 00:28 . 2008-05-31 23:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 23:19 . 2008-06-01 11:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-29 00:05 . 2008-06-01 14:20 256 --a------ C:\WINDOWS\wininit.ini
2008-05-27 23:26 . 2008-05-28 19:06 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 23:26 . 2008-05-31 21:36 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 23:23 . 2008-06-04 23:13 11,850,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 23:23 . 2008-06-04 22:57 159,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 23:23 . 2008-06-04 23:14 121,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 23:23 . 2008-06-04 22:57 12,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-27 23:10 . 2008-05-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\system32\im_screensaver dir
2008-05-11 16:36 . 2008-05-11 16:36 201,728 --a------ C:\WINDOWS\system32\im_screensaver.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 05:35 --------- d-----w C:\Program Files\Java
2008-06-05 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 05:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 19:13 --------- d-----w C:\Program Files\Trend Micro
2008-05-29 04:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:06 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 06:23 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-28 06:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 13:14 --------- d-----w C:\Program Files\Warcraft III
2008-05-25 11:51 --------- d-----w C:\Program Files\Starcraft
2008-04-15 03:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-13 22:46 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SET6C.tmp
2006-01-31 23:44 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( [email protected]_11.56.30.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 18:45:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 05:58:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 05:35:45 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-05 05:31:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-29 05:35:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-05 05:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-29 05:35:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 05:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-03-04 16:06:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-03-04 16:07:06 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-03-04 17:36:48 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [ ]
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [2004-03-10 20:57 45056]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 00:55 7090176]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 18:06 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 12:00 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2006-01-25 11:54]
R2 U.S. Robotics 802.11g Wireless USB Adapter;U.S. Robotics 802.11g Wireless USB Adapter Service;C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe [2003-06-09 11:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 06:14:52 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 23:14:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 23:15:37
ComboFix-quarantined-files.txt 2008-06-05 06:15:31
ComboFix2.txt 2008-06-05 06:05:52
ComboFix3.txt 2008-06-01 18:58:25

Pre-Run: 55,007,055,872 bytes free
Post-Run: 54,993,887,232 bytes free

128 --- E O F --- 2008-05-17 05:58:52
  • 0

#13
chou05

chou05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ComboFix 08-05-29.1 - Owner 2008-06-04 22:54:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.488 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\iPVCJRqr.ini2
C:\WINDOWS\system32\vafcvmwg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gwmvcfav.ini
C:\WINDOWS\system32\iPVCJRqr.ini
C:\WINDOWS\system32\iPVCJRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 22:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 22:34 . 2008-06-04 22:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-02 21:00 . 2008-06-02 21:00 <DIR> d-------- C:\Deckard
2008-06-02 20:19 . 2008-06-02 20:19 <DIR> d-------- C:\VundoFix Backups
2008-06-01 00:28 . 2008-05-31 23:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 23:19 . 2008-06-01 11:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-29 00:05 . 2008-06-01 14:20 256 --a------ C:\WINDOWS\wininit.ini
2008-05-27 23:26 . 2008-05-28 19:06 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 23:26 . 2008-05-31 21:36 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 23:23 . 2008-06-04 22:58 11,821,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 23:23 . 2008-06-04 22:57 159,380 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 23:23 . 2008-06-04 22:58 119,584 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 23:23 . 2008-06-04 22:57 12,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-27 23:10 . 2008-05-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\system32\im_screensaver dir
2008-05-11 16:36 . 2008-05-11 16:36 201,728 --a------ C:\WINDOWS\system32\im_screensaver.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 05:35 --------- d-----w C:\Program Files\Java
2008-06-05 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 05:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 19:13 --------- d-----w C:\Program Files\Trend Micro
2008-05-29 04:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:06 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 06:23 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-28 06:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 13:14 --------- d-----w C:\Program Files\Warcraft III
2008-05-25 11:51 --------- d-----w C:\Program Files\Starcraft
2008-04-15 03:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-13 22:46 691,545 ----a-w C:\WINDOWS\unins000.exe
2006-01-31 23:44 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( [email protected]_11.56.30.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 18:45:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 05:58:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 05:35:45 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-05 05:31:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-29 05:35:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-05 05:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-29 05:35:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 05:31:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-03-04 16:06:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-03-04 16:07:06 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-03-04 17:36:48 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E50CFE-B64C-4A91-8D0B-9552656DC06C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E9E7B2A-C8F7-48B6-B557-FDDB21D6EEB8}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [ ]
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [2004-03-10 20:57 45056]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 00:55 7090176]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 18:06 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 12:00 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2006-01-25 11:54]
R2 U.S. Robotics 802.11g Wireless USB Adapter;U.S. Robotics 802.11g Wireless USB Adapter Service;C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe [2003-06-09 11:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 06:04:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 22:59:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLancfgG.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-06-04 23:05:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 06:05:47
ComboFix2.txt 2008-06-01 18:58:25

Pre-Run: 54,684,905,472 bytes free
Post-Run: 55,023,009,792 bytes free

145 --- E O F --- 2008-05-17 05:58:52
  • 0

#14
chou05

chou05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ComboFix 08-05-29.1 - Owner 2008-06-01 11:54:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cbXQkhhF.dll
C:\WINDOWS\system32\dkmbyybs.ini
C:\WINDOWS\system32\hlfhruck.ini
C:\WINDOWS\system32\iPVCJRqr.ini
C:\WINDOWS\system32\iPVCJRqr.ini2
C:\WINDOWS\system32\kcurhflh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ooWEdcdd.ini
C:\WINDOWS\system32\ooWEdcdd.ini2
C:\WINDOWS\system32\ugwarpqn.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 00:28 . 2008-05-31 23:19 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 23:19 . 2008-06-01 11:35 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-31 21:50 . 2008-05-31 21:50 324,864 --a------ C:\WINDOWS\system32\rqRJCVPi.dll
2008-05-29 00:05 . 2008-05-31 17:01 198 --a------ C:\WINDOWS\wininit.ini
2008-05-27 23:26 . 2008-05-28 19:06 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 23:26 . 2008-05-31 21:36 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 23:23 . 2008-06-01 11:56 11,411,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 23:23 . 2008-06-01 11:44 153,548 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 23:23 . 2008-06-01 11:55 76,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 23:23 . 2008-06-01 11:44 7,988 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-27 23:10 . 2008-05-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-11 16:36 . 2008-05-11 16:36 <DIR> d-------- C:\WINDOWS\system32\im_screensaver dir
2008-05-11 16:36 . 2008-05-11 16:36 201,728 --a------ C:\WINDOWS\system32\im_screensaver.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 04:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 02:06 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-28 06:23 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-28 06:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 13:14 --------- d-----w C:\Program Files\Warcraft III
2008-05-25 11:51 --------- d-----w C:\Program Files\Starcraft
2008-05-12 07:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 03:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-13 22:46 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SET6C.tmp
2006-01-31 23:44 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AAC7CF6-7E28-41D0-8431-EEA3A8A2A884}]
2008-05-31 21:50 324864 --a------ C:\WINDOWS\system32\rqRJCVPi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E50CFE-B64C-4A91-8D0B-9552656DC06C}]
C:\WINDOWS\system32\ddcdEWoo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [ ]
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [2004-03-10 20:57 45056]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 00:55 7090176]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-18 18:06 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Starcraft\\starcraft.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS [2006-01-25 11:54]
R2 U.S. Robotics 802.11g Wireless USB Adapter;U.S. Robotics 802.11g Wireless USB Adapter Service;C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe [2003-06-09 11:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bbf6df1-0b51-11da-bd5a-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03e4405-2402-11da-93f4-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 18:57:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 11:56:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 11:58:24
ComboFix-quarantined-files.txt 2008-06-01 18:57:34

Pre-Run: 55,715,823,616 bytes free
Post-Run: 55,701,311,488 bytes free

128 --- E O F --- 2008-05-17 05:58:52
  • 0

#15
Octagonal

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Sorry for the delay, I am consulting with some more expert opinion on this matter.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP