Mailskinner.rtk advice needed is it fixed?
Spybot S & D detected Mailskinner.rtk, so i used the fix item and removed it but upon restart and rescan Mailskinner.rtk was still detected..after several attempts with Spybot i decided to try Combofix which saved a log and quarantined some files. I then rescanned with Spybot which came up clean so i rebooted and scanned again with spybot which again came up clean. I then ran HJT and saved the logfile but wanted to be sure that everything is clean.
Thanks in advance, please advise if more info is needed.
Combofix log:
ComboFix 07-09-26 - Adrian 2007-09-27 0:03:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.697 [GMT 10:00]
Running from: C:\Documents and Settings\Adrian\My Documents\Ultilitys\Spyware\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\~.exe
.
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.
2007-09-27 00:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 19:26 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-26 19:26 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-26 19:26 5,942,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-26 19:26 37,664 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-26 19:26 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-09-26 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-25 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2007-09-25 01:47 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-09-25 01:46 <DIR> d-------- C:\ATI
2007-09-24 12:57 <DIR> d-------- C:\Program Files\LimeWire
2007-09-24 02:44 <DIR> d-------- C:\Program Files\ATI Technologies
2007-09-24 02:08 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-27 21:12 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-08-27 21:12 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-08-27 21:12 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-08-27 21:12 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-08-27 21:12 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-08-27 21:12 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-08-27 21:12 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-08-27 21:12 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-08-27 21:12 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 23:41 80444 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-26 23:41 4364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-26 19:50 --------- d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-09-26 19:18 --------- d-------- C:\Program Files\mIRC
2007-09-26 15:22 --------- d-------- C:\Program Files\World of Warcraft
2007-09-25 21:22 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-25 21:22 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-25 21:06 --------- d-------- C:\Program Files\GameSpy Arcade
2007-09-24 22:20 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-24 12:57 --------- d-------- C:\Documents and Settings\Adrian\Application Data\LimeWire
2007-09-21 19:11 --------- d-------- C:\Program Files\Electronic Arts
2007-09-06 22:01 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-28 12:51 206088 --a------ C:\WINDOWS\system32\klogon.dll
2007-06-27 11:59 344064 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-27 11:58 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-06-27 11:56 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-27 11:51 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-27 11:51 143360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-27 11:51 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-27 11:50 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-27 11:50 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-27 11:49 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-27 11:48 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-27 11:44 8232960 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-27 11:41 2940992 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-06-27 11:31 1519744 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-06-27 11:19 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-27 11:17 266240 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-27 11:16 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-27 11:14 176128 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-27 11:10 376832 --a------ C:\WINDOWS\system32\ati2cqag.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-12 20:54]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Installer.exe
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 00:05:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-27 0:05:54
C:\ComboFix-quarantined-files.txt ... 2007-09-27 00:05
.
--- E O F ---
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:04 AM, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adrian\My Documents\Ultilitys\Spyware\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158400405734
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 4725 bytes
i did a scan with kaspersky 7.0 which came up clear but after scanning again with Spybot S & D mailskinner.rtk was again detected..
