trojan-clicker.win32.tiny.h + Google opens wrong search item - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

trojan-clicker.win32.tiny.h + Google opens wrong search item The problem is not so severe ! but needs attention...

#1 micalparkz

  • Group: Member
  • Posts: 78
  • Joined: 13-October 08

Posted 14 October 2008 - 02:52 AM

Hi There :)

Its my very first time, posting on geekstogo.I've been through your forum and it has helped me somehow or the other.So hats off to you :)

In past, I've had virus n spyware problem, to such an extent that now I know if its a severe attack or not.Previously, I used to format my laptop everytime I encountered a problem.Anyhow, this time it doesn't seem severe but I need your help to avoid formatting :)
.............

The problem is:

1)From time to time, I keep on getting a trojan-clicker.win32.tiny.h alert (doesn't happen much often, probably after 10-15 or even 25 mins, if I'm browsing.And in case if I'm not browsing, it doesn't happen at all :) )

2)Sometimes when I search something in google and click on it, it takes me to some wrong address.


The solutions tried are :

1)I installed and run SUPERAntiSpyware :) Earlier, it helped me to remove a baloon warning on the bottom right of the screen where it said "Your computer is infected Windows has detected spyware infection"

But the Problem 1)&2) still continues.

2)I have AVG anti-virus free.The resident shield is enabled and from time to time it removes threats such as trojan horse generic11. BAUQ :)

But the problem 1)&2) still continues.

..........

I'm looking forward to your help ! I'm sorry if my long post is of any problem to you or if I didn't understand any forum rules regarding posting of a topic.I tried to read a lot before posting, so kindly excuse me if I've followed a wrong approach in forum.

Thank You :)

Regards,
Muneeb Khan
UK

#2 kahdah

  • Group: GeekU Moderator
  • Posts: 15,822
  • Joined: 13-April 06

Posted 14 October 2008 - 04:00 AM

Hello micalparkz

Welcome to G2Go. :)
=====================

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

#3 micalparkz

  • Group: Member
  • Posts: 78
  • Joined: 13-October 08

Posted 14 October 2008 - 04:07 AM

log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by Muneeb at 2008-10-14 11:04:10
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (52%) free of 10 GB
Total RAM: 255 MB (15% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:12 AM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\Application Data\qxedyrwr\mbcfedyv.exe
C:\WINDOWS\tsnpstd3.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\ofobkdkf.exe
C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Muneeb\Desktop\RSIT.exe
C:\Program Files\trend micro\Muneeb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.orkut.com
F2 - REG:system.ini: Shell=Explorer.exe "C:\Documents and Settings\Muneeb\Desktop\Setup.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\Documents and Settings\Muneeb\Desktop\Setup.exe",
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Oxford Dictionary] "oxford.exe" /tray
O4 - HKCU\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [ComApi] C:\WINDOWS\system32\ofobkdkf.exe
O4 - HKCU\..\Run: [InfoDscApl] C:\WINDOWS\system32\inqvcvqh.exe
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKLM\..\Policies\Explorer\Run: [MMCfsJxbkc] C:\Documents and Settings\All Users\Application Data\qxedyrwr\mbcfedyv.exe
O4 - Global Startup: Wireless PCI_CardBus utility V1.01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O21 - SSODL: chksh - {1F21957C-4D5A-3B5A-80A3-090AF0D9C993} - C:\Program Files\qsgjurf\chksh.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3823 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"tsnpstd3"=C:\WINDOWS\tsnpstd3.exe [2006-11-29 262144]
""= []
"Oxford Dictionary"= []
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-29 1234712]
"googletalk"=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"snpstd3"=C:\WINDOWS\vsnpstd3.exe [2006-09-18 843776]
"PE2CKFNT SE"=C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe [1998-07-03 25088]
"brastk"=C:\WINDOWS\system32\brastk.exe []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"MMCfsJxbkc"=C:\Documents and Settings\All Users\Application Data\qxedyrwr\mbcfedyv.exe [2008-10-13 61440]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2008-08-09 5674352]
"Yahoo! Pager"=C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-01-19 4670968]
"Oxford Dictionary"=oxford.exe /tray []
""= []
"PoivY"=C:\Program Files\PoivY.com\PoivY\PoivY.exe [2008-09-26 9102112]
"SVCHOST.EXE"=C:\WINDOWS\system32\drivers\svchost.exe [2008-10-13 30720]
"ComApi"=C:\WINDOWS\system32\ofobkdkf.exe [2008-10-13 77824]
"InfoDscApl"=C:\WINDOWS\system32\inqvcvqh.exe [2008-10-14 77824]
"brastk"=C:\WINDOWS\system32\brastk.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Calendar Checker]
C:\Program Files\Ulead Systems\Ulead Photo Express 6\CalCheck.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless PCI_CardBus utility V1.01.exe.lnk - C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="karna.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
chksh - {1F21957C-4D5A-3B5A-80A3-090AF0D9C993} - C:\Program Files\qsgjurf\chksh.dll [2008-10-13 106496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe"="C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:*:Enabled:Voipwise"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"D:\Games\Commandos 3\commandos3.exe"="D:\Games\Commandos 3\commandos3.exe:*:Enabled:commandos3"
"C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe:*:Enabled:VideoAccelerator"
"C:\Program Files\PoivY.com\PoivY\PoivY.exe"="C:\Program Files\PoivY.com\PoivY\PoivY.exe:*:Enabled:PoivY"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4338e5cb-6632-11dd-af06-0810741381b7}]
shell\AutoRun\command - rxukgcm.exe
shell\explore\command - rxukgcm.exe
shell\open\command - rxukgcm.exe


======List of files/folders created in the last 1 months======

2008-10-14 11:04:18 ----D---- C:\Program Files\trend micro
2008-10-14 11:04:09 ----D---- C:\rsit
2008-10-14 02:36:16 ----SHD---- C:\FOUND.002
2008-10-14 02:33:49 ----A---- C:\WINDOWS\system32\inqvcvqh.exe
2008-10-14 02:08:10 ----D---- C:\WINDOWS\system32\appmgmt
2008-10-14 02:08:03 ----SHD---- C:\Config.Msi
2008-10-14 01:31:56 ----A---- C:\WINDOWS\system32\CMMGR32.EXE
2008-10-14 01:16:27 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-14 01:15:14 ----D---- C:\Program Files\SUPERAntiSpyware
2008-10-14 01:15:13 ----D---- C:\Documents and Settings\Muneeb\Application Data\SUPERAntiSpyware.com
2008-10-14 00:21:37 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-10-13 22:35:59 ----A---- C:\WINDOWS\brastk.exe
2008-10-13 22:34:47 ----A---- C:\WINDOWS\zipped.tmp
2008-10-13 22:34:47 ----A---- C:\WINDOWS\zip3.tmp
2008-10-13 22:34:47 ----A---- C:\WINDOWS\zip2.tmp
2008-10-13 22:34:47 ----A---- C:\WINDOWS\zip1.tmp
2008-10-13 22:34:47 ----A---- C:\WINDOWS\userconfig9x.dll
2008-10-13 22:34:47 ----A---- C:\WINDOWS\system32\winlogonpc.exe
2008-10-13 22:34:47 ----A---- C:\WINDOWS\FVProtect.exe
2008-10-13 22:34:47 ----A---- C:\WINDOWS\base64.tmp
2008-10-13 22:34:46 ----A---- C:\WINDOWS\system32\taack.exe
2008-10-13 22:34:46 ----A---- C:\WINDOWS\system32\ps1.exe
2008-10-13 22:34:46 ----A---- C:\WINDOWS\system32\mwin32.exe
2008-10-13 22:34:46 ----A---- C:\WINDOWS\system32\hxiwlgpm.exe
2008-10-13 22:34:46 ----A---- C:\WINDOWS\system32\hoproxy.dll
2008-10-13 22:34:46 ----A---- C:\WINDOWS\system32\bsva-egihsg52.exe
2008-10-13 22:34:46 ----A---- C:\WINDOWS\iTunesMusic.exe
2008-10-13 22:34:46 ----A---- C:\WINDOWS\a.bat
2008-10-13 22:34:45 ----A---- C:\WINDOWS\system32\msnbho.dll
2008-10-13 22:34:44 ----A---- C:\WINDOWS\system32\temp#01.exe
2008-10-13 22:34:44 ----A---- C:\WINDOWS\system32\ssurf022.dll
2008-10-13 22:34:44 ----A---- C:\WINDOWS\system32\netode.exe
2008-10-13 22:34:44 ----A---- C:\WINDOWS\system32\mtr2.exe
2008-10-13 22:34:44 ----A---- C:\WINDOWS\system32\msgp.exe
2008-10-13 22:34:44 ----A---- C:\WINDOWS\system32\medup020.dll
2008-10-13 22:34:44 ----A---- C:\WINDOWS\system32\medup012.dll
2008-10-13 22:34:44 ----A---- C:\WINDOWS\system32\h@tkeysh@@k.dll
2008-10-13 22:34:43 ----A---- C:\WINDOWS\system32\thun32.dll
2008-10-13 22:34:43 ----A---- C:\WINDOWS\system32\thun.dll
2008-10-13 22:34:43 ----A---- C:\WINDOWS\system32\ssvchost.exe
2008-10-13 22:34:43 ----A---- C:\WINDOWS\system32\ssvchost.com
2008-10-13 22:34:43 ----A---- C:\WINDOWS\system32\Rundl1.exe
2008-10-13 22:34:43 ----A---- C:\WINDOWS\system32\regm64.dll
2008-10-13 22:34:43 ----A---- C:\WINDOWS\system32\regc64.dll
2008-10-13 22:34:43 ----A---- C:\WINDOWS\system32\msvchost.exe
2008-10-13 22:34:42 ----A---- C:\WINDOWS\winsystem.exe
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\WINWGPX.EXE
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\winsystem.exe
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\vcatchpi.dll
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\sysreq.exe
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\newsd32.exe
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\mssecu.exe
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\emesx.dll
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\bdn.com
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\anticipator.dll
2008-10-13 22:34:42 ----A---- C:\WINDOWS\system32\akttzn.exe
2008-10-13 22:34:42 ----A---- C:\WINDOWS\mssecu.exe
2008-10-13 22:34:42 ----A---- C:\WINDOWS\bdn.com
2008-10-13 22:34:41 ----A---- C:\WINDOWS\system32\vbsys2.dll
2008-10-13 22:34:41 ----A---- C:\WINDOWS\system32\awtoolb.dll
2008-10-13 22:34:07 ----D---- C:\Program Files\qsgjurf
2008-10-13 22:34:06 ----D---- C:\Documents and Settings\All Users\Application Data\qxedyrwr
2008-10-13 22:34:01 ----A---- C:\WINDOWS\system32\ofobkdkf.exe
2008-10-12 01:26:57 ----A---- C:\WINDOWS\system32\74Br7Kr3.exe.a_a
2008-10-07 22:29:24 ----SHD---- C:\FOUND.001
2008-10-07 18:47:58 ----A---- C:\WINDOWS\ULEAD32.INI
2008-10-07 18:47:44 ----A---- C:\WINDOWS\system32\MFCO40.DLL
2008-10-07 18:47:05 ----D---- C:\Program Files\Ulead Systems
2008-10-01 22:35:20 ----D---- C:\Documents and Settings\Muneeb\Application Data\PoivY
2008-10-01 22:30:59 ----D---- C:\Program Files\PoivY.com
2008-09-22 19:59:57 ----D---- C:\Documents and Settings\Muneeb\Application Data\IrfanView
2008-09-21 22:45:03 ----SHD---- C:\Documents and Settings\Muneeb\Application Data\.#
2008-09-21 22:44:44 ----A---- C:\WINDOWS\system32\suppdll.dll
2008-09-21 22:44:42 ----D---- C:\Program Files\Folder Lock
2008-09-21 15:39:57 ----D---- C:\Documents and Settings\Muneeb\Application Data\Media Player Classic
2008-09-21 15:36:32 ----A---- C:\WINDOWS\system32\msvcr71.dll

======List of files/folders modified in the last 1 months======

2008-10-14 07:45:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-05 00:28:30 ----A---- C:\WINDOWS\win.ini
2008-09-27 12:33:28 ----SH---- C:\boot.ini
2008-09-27 12:33:28 ----A---- C:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-08-09 26824]
R1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-04 42496]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-08-09 76040]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 windrvNT;windrvNT; \??\C:\WINDOWS\system32\windrvNT.sys []
R3 atimtai;atimtai; C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 281600]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 maestro;ESS Maestro 3 Audio Driver (WDM); C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 174464]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 USRWDXJS;USRWDXJSMiniPCI Winmodem; C:\WINDOWS\system32\DRIVERS\USRWDXJS.sys [2001-08-17 687999]
R3 W8335XP;802.11g/b Driver for Windows XP ; C:\WINDOWS\system32\DRIVERS\Mrvw125.sys [2005-12-29 282624]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 MSIRCOMM;Microsoft IR Communications Driver; C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys [2004-08-03 22016]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SNPSTD3;USB PC Camera (SNPSTD3); C:\WINDOWS\system32\DRIVERS\snpstd3.sys [2007-03-21 10198144]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Atievxx.exe [2001-08-17 37376]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------


info.txt

info.txt logfile of random's system information tool 1.04 2008-10-14 11:05:20

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Age Of Empire-II The Conquerors-->C:\WINDOWS\unvise32.exe D:\Games\Age Of Empire-II The Conquerors\uninstal.log
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Chariots of War-->D:\Games\STRATE~1\CHARIO~1\UNWISE.EXE D:\Games\STRATE~1\CHARIO~1\INSTALL.LOG
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Talk (remove only)-->"C:\Program Files\Google\Google Talk\uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
jetAudio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\Setup.exe" -l0x9
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0b1)-->"C:\Program Files\Mozilla Firefox 2 Beta 1\uninstall\uninstaller.exe" "/ua 2.0b1 (en-US)"
Oxford English Explanatory Dictionary-->MsiExec.exe /X{05E73DD3-7D9E-4913-AF70-219EB395E4B7}
PoivY-->"C:\Program Files\PoivY.com\PoivY\unins000.exe"
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SopCast 3.0.3-->C:\Program Files\SopCast\uninst.exe
The Hadith Software Version 1.1-->"C:\Program Files\The Hadith Software\unins000.exe"
Ulead Photo Express 2.0 SE-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\Uninst.isu" -c"C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\IS32Inst.dll"
USB PC Camera Plus-->C:\Program Files\InstallShield Installation Information\{ECD03DA7-5952-406A-8156-5F0C93618D1F}\setup.exe -runfromtemp -l0x0009 -removeonly
Voipwise-->"C:\Program Files\Voipwise.com\Voipwise\unins000.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wireless PCI_CardBus utility V1.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0150ECF7-60CB-43C5-AB0A-877BB76ABA55}\setup.exe" -l0x9 -removeonly
Yahoo! Messenger-->C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: AVG Anti-Virus Free

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0806
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

#4 kahdah

  • Group: GeekU Moderator
  • Posts: 15,822
  • Joined: 13-April 06

Posted 14 October 2008 - 04:24 AM

Please disable the AVG shield before doing the following:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  • Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

#5 micalparkz

  • Group: Member
  • Posts: 78
  • Joined: 13-October 08

Posted 14 October 2008 - 04:59 AM

comboFix.txt

ComboFix 08-10-12.01 - Muneeb 2008-10-14 11:33:20.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.88 [GMT 1:00]
Running from: C:\Documents and Settings\Muneeb\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Muneeb\Application Data\.#
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\brastk.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\74Br7Kr3.exe.a_a
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\h@tkeysh@@k.dll
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\medup012.dll
C:\WINDOWS\system32\medup020.dll
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-14 11:04 . 2008-10-14 11:04 <DIR> d-------- C:\rsit
2008-10-14 11:04 . 2008-10-14 11:04 <DIR> d-------- C:\Program Files\trend micro
2008-10-14 02:36 . 2008-10-14 02:36 <DIR> d--hs---- C:\FOUND.002
2008-10-14 02:33 . 2008-10-14 02:33 77,824 --a------ C:\WINDOWS\system32\inqvcvqh.exe
2008-10-14 02:33 . 2008-10-14 02:34 152 --a------ C:\Documents and Settings\Muneeb\delself.bat
2008-10-14 01:16 . 2008-10-14 01:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-14 01:15 . 2008-10-14 01:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-14 01:15 . 2008-10-14 01:15 <DIR> d-------- C:\Documents and Settings\Muneeb\Application Data\SUPERAntiSpyware.com
2008-10-14 00:21 . 2008-10-14 00:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-10-13 22:34 . 2008-10-13 22:34 <DIR> d-------- C:\Program Files\qsgjurf
2008-10-13 22:34 . 2008-10-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\qxedyrwr
2008-10-07 22:29 . 2008-10-07 22:29 <DIR> d--hs---- C:\FOUND.001
2008-10-07 18:47 . 2008-10-07 18:47 <DIR> d-------- C:\Program Files\Ulead Systems
2008-10-07 18:47 . 1996-08-24 11:11 384,512 --a------ C:\WINDOWS\system32\MFCO40.DLL
2008-10-07 18:47 . 1998-07-21 16:58 16,384 --a------ C:\WINDOWS\Photo Express 2 SE.scr
2008-10-07 18:47 . 2008-10-14 02:15 550 --a------ C:\WINDOWS\ULEAD32.INI
2008-10-07 18:43 . 2008-10-07 18:43 <DIR> d-------- C:\Documents and Settings\Muneeb\WINDOWS
2008-10-01 22:35 . 2008-10-01 22:35 <DIR> d-------- C:\Documents and Settings\Muneeb\Application Data\PoivY
2008-10-01 22:30 . 2008-10-01 22:31 <DIR> d-------- C:\Program Files\PoivY.com
2008-09-22 19:59 . 2008-09-22 19:59 <DIR> d-------- C:\Documents and Settings\Muneeb\Application Data\IrfanView
2008-09-21 22:44 . 2008-09-21 22:44 <DIR> d-------- C:\Program Files\Folder Lock
2008-09-21 22:44 . 2004-05-10 12:42 110,592 --a------ C:\WINDOWS\system32\suppdll.dll
2008-09-21 22:44 . 2008-09-21 22:45 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-09-21 15:39 . 2008-09-21 15:39 <DIR> d-------- C:\Documents and Settings\Muneeb\Application Data\Media Player Classic
2008-09-21 15:37 . 2008-09-21 15:37 34 --ah----- C:\WINDOWS\system32\Converter_sysquict.dat
2008-09-21 15:36 . 2004-01-11 23:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 11:10 --------- d-----w C:\Program Files\Voipwise.com
2008-08-29 08:37 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-18 06:46 --------- d-----w C:\Documents and Settings\Muneeb\Application Data\COWON
2008-08-15 18:08 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-08-15 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-08-09 16:34 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2008-08-09 5674352]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-01-19 4670968]
"PoivY"="C:\Program Files\PoivY.com\PoivY\PoivY.exe" [2008-09-26 9102112]
"InfoDscApl"="C:\WINDOWS\system32\inqvcvqh.exe" [2008-10-14 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-11-29 262144]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 843776]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MMCfsJxbkc"="C:\Documents and Settings\All Users\Application Data\qxedyrwr\mbcfedyv.exe" [2008-10-13 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless PCI_CardBus utility V1.01.exe.lnk - C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe [2008-08-09 913408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"chksh"= {1F21957C-4D5A-3B5A-80A3-090AF0D9C993} - C:\Program Files\qsgjurf\chksh.dll [2008-10-13 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\PoivY.com\\PoivY\\PoivY.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-09 76040]
R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 281600]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 174464]
R3 USRWDXJS;USRWDXJSMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\USRWDXJS.sys [2001-08-17 687999]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4338e5cb-6632-11dd-af06-0810741381b7}]
\Shell\AutoRun\command - rxukgcm.exe
\Shell\explore\Command - rxukgcm.exe
\Shell\open\Command - rxukgcm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C773ES1L-TCMO-684Q-3X7A-288ASW0J6WS2}]
"C:\Documents and Settings\Muneeb\Desktop\Setup.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-10-13 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-12 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-14 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\74Br7Kr3.exe []

2008-10-13 C:\WINDOWS\Tasks\At25.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At26.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At27.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At28.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At29.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At30.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At31.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At32.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-12 C:\WINDOWS\Tasks\At33.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At34.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At35.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-14 C:\WINDOWS\Tasks\At36.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At37.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At38.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At39.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At40.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At41.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At42.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At43.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At44.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At45.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At46.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At47.job
- C:\WINDOWS\system32\6445SDmk.exe []

2008-10-13 C:\WINDOWS\Tasks\At48.job
- C:\WINDOWS\system32\6445SDmk.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ComApi - C:\WINDOWS\system32\ofobkdkf.exe
HKCU-Run-brastk - C:\WINDOWS\system32\brastk.exe
HKCU-Run-Oxford Dictionary - oxford.exe
HKLM-Run-Oxford Dictionary - (no file)
MSConfigStartUp-Ulead Calendar Checker - C:\Program Files\Ulead Systems\Ulead Photo Express 6\CalCheck.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Muneeb\Application Data\Mozilla\Firefox\Profiles\vf327xr6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 11:38:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 8192 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Atievxx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-14 11:41:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-14 10:41:38

Pre-Run: 5,386,469,376 bytes free
Post-Run: 5,573,861,376 bytes free

293

#6 micalparkz

  • Group: Member
  • Posts: 78
  • Joined: 13-October 08

Posted 14 October 2008 - 05:08 AM

Dear Kahdah

I'd just like to let you know I disabled AVG Resident Shield and after doing the Combo scan, it has now started giving me more trojan alerts including some KEYLOGGER stuff.It wasn't so before !

Plus, the baloon at bottom right is appearing again saying, windows has detected spyware infection.

Is it getting worse? Shall I turn on AVG Resident Shield?

I just told you so that you may be able to know the change that occured.

Cheers :)

#7 kahdah

  • Group: GeekU Moderator
  • Posts: 15,822
  • Joined: 13-April 06

Posted 14 October 2008 - 09:21 AM

That is ok you can re-enable the shield temporarily but it might dtect Combofox as a threat if that happens then we will have to redownload it.
================
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose no, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.

#8 micalparkz

  • Group: Member
  • Posts: 78
  • Joined: 13-October 08

Posted 14 October 2008 - 09:32 AM

Dear Kahdah

I did as you told but nothing happened when i dragged setup package onto Combofix.exe

#9 kahdah

  • Group: GeekU Moderator
  • Posts: 15,822
  • Joined: 13-April 06

Posted 14 October 2008 - 09:40 AM

That is ok let's go about it a different way:

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
explorer.exe

:files
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\system32\inqvcvqh.exe
C:\Documents and Settings\Muneeb\delself.bat
C:\Program Files\qsgjurf
C:\Documents and Settings\All Users\Application Data\qxedyrwr
C:\WINDOWS\system32\74Br7Kr3.exe 

:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InfoDscApl"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MMCfsJxbkc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"chksh"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4338e5cb-6632-11dd-af06-0810741381b7}]


:commands
[emptytemp]
[start explorer]


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================Please post these logs in your next reply:
Please post these logs in your next reply:

  • Ot Move it log
  • Malware Bytes log
  • New Rsit log

#10 micalparkz

  • Group: Member
  • Posts: 78
  • Joined: 13-October 08

Posted 14 October 2008 - 09:53 AM

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At26.job moved successfully.
C:\WINDOWS\tasks\At27.job moved successfully.
C:\WINDOWS\tasks\At28.job moved successfully.
C:\WINDOWS\tasks\At29.job moved successfully.
C:\WINDOWS\tasks\At30.job moved successfully.
C:\WINDOWS\tasks\At31.job moved successfully.
C:\WINDOWS\tasks\At32.job moved successfully.
C:\WINDOWS\tasks\At33.job moved successfully.
C:\WINDOWS\tasks\At34.job moved successfully.
C:\WINDOWS\tasks\At35.job moved successfully.
C:\WINDOWS\tasks\At36.job moved successfully.
C:\WINDOWS\tasks\At37.job moved successfully.
C:\WINDOWS\tasks\At38.job moved successfully.
C:\WINDOWS\tasks\At39.job moved successfully.
C:\WINDOWS\tasks\At40.job moved successfully.
C:\WINDOWS\tasks\At41.job moved successfully.
C:\WINDOWS\tasks\At42.job moved successfully.
C:\WINDOWS\tasks\At43.job moved successfully.
C:\WINDOWS\tasks\At44.job moved successfully.
C:\WINDOWS\tasks\At45.job moved successfully.
C:\WINDOWS\tasks\At46.job moved successfully.
C:\WINDOWS\tasks\At47.job moved successfully.
C:\WINDOWS\tasks\At48.job moved successfully.
C:\WINDOWS\system32\inqvcvqh.exe moved successfully.
C:\Documents and Settings\Muneeb\delself.bat moved successfully.
C:\Program Files\qsgjurf moved successfully.
C:\Documents and Settings\All Users\Application Data\qxedyrwr moved successfully.
File/Folder C:\WINDOWS\system32\74Br7Kr3.exe not found.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\InfoDscApl deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run\\MMCfsJxbkc deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\chksh deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4338e5cb-6632-11dd-af06-0810741381b7}\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Muneeb\LOCALS~1\Temp\~DF5F2A.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Muneeb\LOCALS~1\Temp\~DF5F31.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Muneeb\LOCALS~1\Temp\~DF9807.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Muneeb\LOCALS~1\Temp\Perflib_Perfdata_e8.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Muneeb\LOCALS~1\Temp\~DF980E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Muneeb\LOCALS~1\Temp\Perflib_Perfdata_dc4.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Muneeb\LOCALS~1\Temp\flaF.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Muneeb\LOCALS~1\Temp\flaE.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10142008_164424

Files moved on Reboot...
File C:\DOCUME~1\Muneeb\LOCALS~1\Temp\~DF5F2A.tmp not found!
File C:\DOCUME~1\Muneeb\LOCALS~1\Temp\~DF5F31.tmp not found!
File C:\DOCUME~1\Muneeb\LOCALS~1\Temp\~DF9807.tmp not found!
File C:\DOCUME~1\Muneeb\LOCALS~1\Temp\Perflib_Perfdata_e8.dat not found!
File C:\DOCUME~1\Muneeb\LOCALS~1\Temp\~DF980E.tmp not found!
File C:\DOCUME~1\Muneeb\LOCALS~1\Temp\Perflib_Perfdata_dc4.dat not found!
File C:\DOCUME~1\Muneeb\LOCALS~1\Temp\flaF.tmp not found!
File C:\DOCUME~1\Muneeb\LOCALS~1\Temp\flaE.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

#11 kahdah

  • Group: GeekU Moderator
  • Posts: 15,822
  • Joined: 13-April 06

Posted 14 October 2008 - 09:55 AM

great please proceed with malware bytes.

#12 micalparkz

  • Group: Member
  • Posts: 78
  • Joined: 13-October 08

Posted 14 October 2008 - 10:05 AM

Malwarebytes' Anti-Malware 1.28
Database version: 1268
Windows 5.1.2600 Service Pack 2

10/14/2008 5:04:38 PM
mbam-log-2008-10-14 (17-04-38).txt

Scan type: Quick Scan
Objects scanned: 37875
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#13 kahdah

  • Group: GeekU Moderator
  • Posts: 15,822
  • Joined: 13-April 06

Posted 14 October 2008 - 10:09 AM

Great can you please run Rsit again and post the log or logs it produces then let me kow how things are running?

#14 micalparkz

  • Group: Member
  • Posts: 78
  • Joined: 13-October 08

Posted 14 October 2008 - 10:14 AM

Sure... I had deleted Rsit..I downloaded it again and here I paste the log :)

Logfile of random's system information tool 1.04 (written by random/random)
Run by Muneeb at 2008-10-14 17:12:29
Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (53%) free of 10 GB
Total RAM: 255 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:35 PM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\tsnpstd3.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\sxipcrmr.exe
C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Muneeb\Desktop\RSIT.exe
C:\Program Files\trend micro\Muneeb.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized
O4 - HKCU\..\Run: [comdb] C:\WINDOWS\system32\sxipcrmr.exe
O4 - Global Startup: Wireless PCI_CardBus utility V1.01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 2981 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"tsnpstd3"=C:\WINDOWS\tsnpstd3.exe [2006-11-29 262144]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-29 1234712]
"googletalk"=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"snpstd3"=C:\WINDOWS\vsnpstd3.exe [2006-09-18 843776]
"PE2CKFNT SE"=C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe [1998-07-03 25088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2008-08-09 5674352]
"Yahoo! Pager"=C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-01-19 4670968]
"PoivY"=C:\Program Files\PoivY.com\PoivY\PoivY.exe [2008-09-26 9102112]
"comdb"=C:\WINDOWS\system32\sxipcrmr.exe [2008-10-14 77824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless PCI_CardBus utility V1.01.exe.lnk - C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="karna.dat"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe"="C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:*:Enabled:Voipwise"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"C:\Program Files\PoivY.com\PoivY\PoivY.exe"="C:\Program Files\PoivY.com\PoivY\PoivY.exe:*:Enabled:PoivY"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2008-10-14 16:54:27 ----D---- C:\Documents and Settings\Muneeb\Application Data\Malwarebytes
2008-10-14 16:54:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-14 16:54:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-14 16:44:24 ----D---- C:\_OTMoveIt
2008-10-14 12:09:17 ----A---- C:\WINDOWS\system32\sxipcrmr.exe
2008-10-14 11:41:51 ----D---- C:\WINDOWS\temp
2008-10-14 11:41:46 ----A---- C:\ComboFix.txt
2008-10-14 11:32:03 ----A---- C:\WINDOWS\zip.exe
2008-10-14 11:32:03 ----A---- C:\WINDOWS\VFIND.exe
2008-10-14 11:32:03 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-10-14 11:32:03 ----A---- C:\WINDOWS\SWSC.exe
2008-10-14 11:32:03 ----A---- C:\WINDOWS\SWREG.exe
2008-10-14 11:32:03 ----A---- C:\WINDOWS\sed.exe
2008-10-14 11:32:03 ----A---- C:\WINDOWS\NIRCMD.exe
2008-10-14 11:32:03 ----A---- C:\WINDOWS\grep.exe
2008-10-14 11:32:03 ----A---- C:\WINDOWS\fdsv.exe
2008-10-14 11:31:53 ----D---- C:\WINDOWS\ERDNT
2008-10-14 11:31:53 ----D---- C:\Qoobox
2008-10-14 11:04:18 ----D---- C:\Program Files\trend micro
2008-10-14 11:04:09 ----D---- C:\rsit
2008-10-14 02:36:16 ----SHD---- C:\FOUND.002
2008-10-14 02:08:10 ----D---- C:\WINDOWS\system32\appmgmt
2008-10-14 02:08:03 ----SHD---- C:\Config.Msi
2008-10-14 01:16:27 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-14 01:15:14 ----D---- C:\Program Files\SUPERAntiSpyware
2008-10-14 01:15:13 ----D---- C:\Documents and Settings\Muneeb\Application Data\SUPERAntiSpyware.com
2008-10-14 00:21:37 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-10-07 22:29:24 ----SHD---- C:\FOUND.001
2008-10-07 18:47:58 ----A---- C:\WINDOWS\ULEAD32.INI
2008-10-07 18:47:44 ----A---- C:\WINDOWS\system32\MFCO40.DLL
2008-10-07 18:47:05 ----D---- C:\Program Files\Ulead Systems
2008-10-01 22:35:20 ----D---- C:\Documents and Settings\Muneeb\Application Data\PoivY
2008-10-01 22:30:59 ----D---- C:\Program Files\PoivY.com
2008-09-22 19:59:57 ----D---- C:\Documents and Settings\Muneeb\Application Data\IrfanView
2008-09-21 22:44:44 ----A---- C:\WINDOWS\system32\suppdll.dll
2008-09-21 22:44:42 ----D---- C:\Program Files\Folder Lock
2008-09-21 15:39:57 ----D---- C:\Documents and Settings\Muneeb\Application Data\Media Player Classic
2008-09-21 15:36:32 ----A---- C:\WINDOWS\system32\msvcr71.dll

======List of files/folders modified in the last 1 months======

2008-10-14 17:07:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-14 11:38:52 ----A---- C:\WINDOWS\system.ini
2008-10-05 00:28:30 ----A---- C:\WINDOWS\win.ini
2008-09-27 12:33:28 ----SH---- C:\boot.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-08-09 26824]
R1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-04 42496]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-08-09 76040]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 windrvNT;windrvNT; \??\C:\WINDOWS\system32\windrvNT.sys []
R3 atimtai;atimtai; C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 281600]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 maestro;ESS Maestro 3 Audio Driver (WDM); C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 174464]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 USRWDXJS;USRWDXJSMiniPCI Winmodem; C:\WINDOWS\system32\DRIVERS\USRWDXJS.sys [2001-08-17 687999]
R3 W8335XP;802.11g/b Driver for Windows XP ; C:\WINDOWS\system32\DRIVERS\Mrvw125.sys [2005-12-29 282624]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 MSIRCOMM;Microsoft IR Communications Driver; C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys [2004-08-03 22016]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SNPSTD3;USB PC Camera (SNPSTD3); C:\WINDOWS\system32\DRIVERS\snpstd3.sys [2007-03-21 10198144]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Atievxx.exe [2001-08-17 37376]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

#15 kahdah

  • Group: GeekU Moderator
  • Posts: 15,822
  • Joined: 13-April 06

Posted 14 October 2008 - 10:34 AM

  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
sxipcrmr.exe

:files
C:\WINDOWS\system32\sxipcrmr.exe 
C:\WINDOWS\system32\karna.dat
C:\WINDOWS\karna.dat

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"comdb"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=""


  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
AFter that post the OT Move it log and a new Rsit log and then let me know how it is running?

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3