Infected with Smitfraud-C.coreservices [Archive]

View Full Version : Infected with Smitfraud-C.coreservices

firidia

2008-01-22, 11:24

Hi i've been infected by Smitfraud-C.coreservices which was detected by Spybot but has been unable to clear it. The following are the logs, hopeful for help. Thanks in advance!

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:45 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex Yang\Desktop\Computer saving tools\Crustyhjt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.singnet.com.sg:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C67 Series on AMD26-88] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P40 "Auto EPSON Stylus C67 Series on AMD26-88" /O19 "\\AMD26-88\Printer4" /M "Stylus C67"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A7EFEAA-8059-4C69-8FE2-4BA999C3B102} (TrickCtrl Class) - https://ssl2.gcrest.com/trickster/cabs/TrickLauncher.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2005.2.2.cab
O16 - DPF: {A5F3B5CF-A05F-479E-B684-13AA512A7B93} (YGLauncher Control) - http://kr.pubbase.yahoo.com/gamesetup/YGLauncher.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
O16 - DPF: {CD79C574-4775-4A42-A66B-D7071AE095AF} (SlideViewerOcx Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/SlideViewer.cab
O16 - DPF: {F58E877C-4F14-4805-B2D2-EB48927C7580} (NeffyManSpLauncherCtl Class) - http://dist.cdnetworks.co.jp/cdndist/streamport/SPort.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9942 bytes

Kaspersky online scanner log:
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 1:15:20 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 490471

Scan Settings
Scan using the following antivirus database
standard
Scan Archives
true
Scan Mail Bases
true

Scan Target
My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects
99980
Number of viruses found
1
Number of infected objects
5
Number of suspicious objects
0
Duration of the scan process
01:05:59

Infected Object Name
Virus Name
Last Action
C:\!KillBox\45AD9FCA.dll
Infected: Packed.Win32.NSAnti.r
skipped

C:\!KillBox\45AD9FCA.dll( 1)
Infected: Packed.Win32.NSAnti.r
skipped

C:\!KillBox\45AD9FCA.dll( 2)
Infected: Packed.Win32.NSAnti.r
skipped

C:\!KillBox\45AD9FCA.exe
Infected: Packed.Win32.NSAnti.r
skipped

C:\!KillBox\45AD9FCA.exe( 3)
Infected: Packed.Win32.NSAnti.r
skipped

C:\Documents and Settings\Alex Yang\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\cert8.db
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\formhistory.dat
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\GoogleToolbarData\googlesafebrowsing.db
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\history.dat
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\key3.db
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\parent.lock
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\search.sqlite
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\urlclassifier2.sqlite
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Cookies\index.dat
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Application Data\Microsoft\Windows Live Contacts\crusainte@hotmail.com\real\members.stg
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Application Data\Microsoft\Windows Live Contacts\crusainte@hotmail.com\shadow\members.stg
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\Cache\_CACHE_001_
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\Cache\_CACHE_002_
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\Cache\_CACHE_003_
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Application Data\Mozilla\Firefox\Profiles\qcw32ffr.default\Cache\_CACHE_MAP_
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\History\History.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Temp\~DF384E.tmp
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Temp\~DF385B.tmp
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Temp\~DF4C33.tmp
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Temp\~DF4D11.tmp
Object is locked
skipped

C:\Documents and Settings\Alex Yang\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\Alex Yang\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\Alex Yang\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log
Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log
Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck
Object is locked
skipped

C:\Documents and Settings\LocalService\Cookies\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG
Object is locked
skipped

C:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

C:\System Volume Information\_restore{E132D4F4-F828-4908-A774-4EC6C1024FA6}\RP142\A0043692.exe
Object is locked
skipped

C:\System Volume Information\_restore{E132D4F4-F828-4908-A774-4EC6C1024FA6}\RP154\A0044554.exe
Object is locked
skipped

C:\System Volume Information\_restore{E132D4F4-F828-4908-A774-4EC6C1024FA6}\RP157\A0044662.exe
Object is locked
skipped

C:\System Volume Information\_restore{E132D4F4-F828-4908-A774-4EC6C1024FA6}\RP157\A0044663.exe
Object is locked
skipped

C:\System Volume Information\_restore{E132D4F4-F828-4908-A774-4EC6C1024FA6}\RP158\A0045088.exe
Object is locked
skipped

C:\System Volume Information\_restore{E132D4F4-F828-4908-A774-4EC6C1024FA6}\RP159\change.log
Object is locked
skipped

C:\WINDOWS\Debug\PASSWD.LOG
Object is locked
skipped

C:\WINDOWS\SchedLgU.Txt
Object is locked
skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
Object is locked
skipped

C:\WINDOWS\Sti_Trace.log
Object is locked
skipped

C:\WINDOWS\system32\CatRoot2\edb.log
Object is locked
skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb
Object is locked
skipped

C:\WINDOWS\system32\config\AppEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\default
Object is locked
skipped

C:\WINDOWS\system32\config\default.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\ODiag.evt
Object is locked
skipped

C:\WINDOWS\system32\config\OSession.evt
Object is locked
skipped

C:\WINDOWS\system32\config\SAM
Object is locked
skipped

C:\WINDOWS\system32\config\SAM.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SecEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\software
Object is locked
skipped

C:\WINDOWS\system32\config\software.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SysEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\system
Object is locked
skipped

C:\WINDOWS\system32\config\system.LOG
Object is locked
skipped

C:\WINDOWS\system32\drivers\afdd.sys
Object is locked
skipped

C:\WINDOWS\system32\drivers\core.cache.dsk
Object is locked
skipped

C:\WINDOWS\system32\h323log.txt
Object is locked
skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Object is locked
skipped

C:\WINDOWS\wiadebug.log
Object is locked
skipped

C:\WINDOWS\wiaservc.log
Object is locked
skipped

C:\WINDOWS\WindowsUpdate.log
Object is locked
skipped

D:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

D:\System Volume Information\_restore{E132D4F4-F828-4908-A774-4EC6C1024FA6}\RP159\change.log
Object is locked
skipped

E:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

E:\System Volume Information\_restore{E132D4F4-F828-4908-A774-4EC6C1024FA6}\RP159\change.log
Object is locked
skipped

Scan process completed.

Shaba

2008-01-23, 11:33

Hi firidia and welcome to Safer Networking Forums :)

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

firidia

2008-01-23, 18:38

Shaba, thanks for the reply. The following are the Combofix log and HijackThis log.

Combofix log:
ComboFix 08-01-20.1 - Alex Yang 2008-01-24 0:27:10.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1776 [GMT 8:00]
Running from: C:\Documents and Settings\Alex Yang\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 00:32 . 2008-01-23 00:32 <DIR> d-------- C:\Documents and Settings\Alex Yang\vpworkspace
2008-01-23 00:32 . 2008-01-23 00:32 <DIR> d-------- C:\Documents and Settings\Alex Yang\.vplls
2008-01-20 23:40 . 2008-01-20 23:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 23:40 . 2008-01-20 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-20 22:36 . 2008-01-20 23:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-20 22:36 . 2008-01-20 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-20 22:36 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 21:30 . 2008-01-20 21:58 189 --a------ C:\WINDOWS\wininit.ini
2008-01-20 11:47 . 2008-01-20 11:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-20 11:47 . 2008-01-20 21:16 <DIR> d-------- C:\Documents and Settings\Alex Yang\Application Data\AVG7
2008-01-20 11:38 . 2008-01-20 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-20 11:22 . 2008-01-20 11:22 86,144 --a------ C:\WINDOWS\system32\drivers\afdd.sys
2008-01-07 21:51 . 2008-01-07 21:51 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-07 21:50 . 2008-01-07 21:50 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-07 21:48 . 2008-01-07 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-31 15:51 . 2007-12-31 15:51 <DIR> d-------- C:\Program Files\nHancer
2007-12-31 15:51 . 2007-12-31 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nHancer
2007-12-25 16:32 . 2007-12-25 16:32 <DIR> d-------- C:\Documents and Settings\Alex Yang\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 15:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 14:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 03:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-31 07:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-12-25 08:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 03:33 --------- d-----w C:\Program Files\Nokia
2007-12-18 04:31 --------- d-----w C:\Documents and Settings\Alex Yang\Application Data\NSeries
2007-12-18 04:01 --------- d-----w C:\Documents and Settings\Alex Yang\Application Data\PC Suite
2007-12-18 03:57 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-18 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-18 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2007-12-18 03:40 --------- d-----w C:\Documents and Settings\Alex Yang\Application Data\Nokia
2007-12-18 03:37 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-18 03:36 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-12-18 03:36 --------- d-----w C:\Program Files\DIFX
2007-12-14 09:18 --------- d-----w C:\Documents and Settings\Alex Yang\Application Data\mIRC
2007-11-04 03:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-02 06:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-07 11:52 26,152 ----a-w C:\Documents and Settings\Alex Yang\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_22.43.46.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"EPSON Stylus C67 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.exe" [2005-01-25 12:00 98304]
"Logitech Utility"="Logi_MwX.Exe" [2004-03-03 17:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"Auto EPSON Stylus C67 Series on AMD26-88"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.exe" [2005-01-25 12:00 98304]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-12 16:33 16384512 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-20 11:46 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 11:46 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^Alex Yang^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
backup=C:\WINDOWS\pss\DualCoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-03-12 07:56 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 17:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 2007-09-07 14:44 3100672 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"EventSystem"=3 (0x3)

R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys [2005-02-09 22:11]
S0 abcgibah;abcgibah;C:\WINDOWS\system32\drivers\abcgibah.sys []
S1 afdd;afdd;C:\WINDOWS\system32\drivers\afdd.sys [2008-01-20 11:22]
S2 XilinxPC4Driver;XilinxPC4Driver;C:\WINDOWS\system32\drivers\XPC4DRVR.SYS [2005-02-09 22:11]
S3 XDva011;XDva011;C:\WINDOWS\system32\XDva011.sys []
S4 Mass Effect(TM) Xbox 360;Mass Effect(TM) Xbox 360;"C:\WINDOWS\System32\dllcache\mfxbox.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4897ac2e-1304-11dc-8b54-00179a817a9c}]
\Shell\Auto\command - UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 00:29:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-24 0:29:57
ComboFix-quarantined-files.txt 2008-01-23 16:29:38
ComboFix2.txt 2008-01-20 14:44:18

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:21 AM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alex Yang\Desktop\Computer saving tools\Crustyhjt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.singnet.com.sg:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C67 Series on AMD26-88] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P40 "Auto EPSON Stylus C67 Series on AMD26-88" /O19 "\\AMD26-88\Printer4" /M "Stylus C67"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A7EFEAA-8059-4C69-8FE2-4BA999C3B102} (TrickCtrl Class) - https://ssl2.gcrest.com/trickster/cabs/TrickLauncher.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2005.2.2.cab
O16 - DPF: {A5F3B5CF-A05F-479E-B684-13AA512A7B93} (YGLauncher Control) - http://kr.pubbase.yahoo.com/gamesetup/YGLauncher.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
O16 - DPF: {CD79C574-4775-4A42-A66B-D7071AE095AF} (SlideViewerOcx Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/SlideViewer.cab
O16 - DPF: {F58E877C-4F14-4805-B2D2-EB48927C7580} (NeffyManSpLauncherCtl Class) - http://dist.cdnetworks.co.jp/cdndist/streamport/SPort.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9956 bytes

Shaba

2008-01-23, 19:41

Hi

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\afdd.sys

Driver::
abcgibah
afdd

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

firidia

2008-01-24, 15:44

Thanks again Shaba, Ive loaded up the combofix using the CFScript. Here is the log:

Combofix log:

ComboFix 08-01-20.1 - Alex Yang 2008-01-24 21:32:27.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1780 [GMT 8:00]
Running from: C:\Documents and Settings\Alex Yang\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex Yang\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\afdd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\afdd.sys
C:\WINDOWS\system32\drivers\core.cache.dsk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AFDD
-------\abcgibah
-------\afdd

((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 00:32 . 2008-01-23 00:32 <DIR> d-------- C:\Documents and Settings\Alex Yang\vpworkspace
2008-01-23 00:32 . 2008-01-23 00:32 <DIR> d-------- C:\Documents and Settings\Alex Yang\.vplls
2008-01-20 23:40 . 2008-01-20 23:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 23:40 . 2008-01-20 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-20 22:36 . 2008-01-20 23:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-20 22:36 . 2008-01-20 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-20 22:36 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 21:30 . 2008-01-20 21:58 189 --a------ C:\WINDOWS\wininit.ini
2008-01-20 11:47 . 2008-01-20 11:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-20 11:47 . 2008-01-20 21:16 <DIR> d-------- C:\Documents and Settings\Alex Yang\Application Data\AVG7
2008-01-20 11:38 . 2008-01-20 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-07 21:51 . 2008-01-07 21:51 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-07 21:50 . 2008-01-07 21:50 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-07 21:48 . 2008-01-07 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-31 15:51 . 2007-12-31 15:51 <DIR> d-------- C:\Program Files\nHancer
2007-12-31 15:51 . 2007-12-31 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nHancer
2007-12-25 16:32 . 2007-12-25 16:32 <DIR> d-------- C:\Documents and Settings\Alex Yang\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 15:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 14:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 03:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-31 07:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-12-25 08:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 03:33 --------- d-----w C:\Program Files\Nokia
2007-12-18 04:31 --------- d-----w C:\Documents and Settings\Alex Yang\Application Data\NSeries
2007-12-18 04:01 --------- d-----w C:\Documents and Settings\Alex Yang\Application Data\PC Suite
2007-12-18 03:57 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-18 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-18 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2007-12-18 03:40 --------- d-----w C:\Documents and Settings\Alex Yang\Application Data\Nokia
2007-12-18 03:37 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-18 03:36 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-12-18 03:36 --------- d-----w C:\Program Files\DIFX
2007-12-14 09:18 --------- d-----w C:\Documents and Settings\Alex Yang\Application Data\mIRC
2007-11-04 03:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-10-07 11:52 26,152 ----a-w C:\Documents and Settings\Alex Yang\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_22.43.46.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 14:41:29 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 13:32:14 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 14:41:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 13:32:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 14:41:32 6,963,200 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 13:32:17 6,991,872 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 14:41:32 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 13:32:17 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"EPSON Stylus C67 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.exe" [2005-01-25 12:00 98304]
"Logitech Utility"="Logi_MwX.Exe" [2004-03-03 17:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"Auto EPSON Stylus C67 Series on AMD26-88"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.exe" [2005-01-25 12:00 98304]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-12 16:33 16384512 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-20 11:46 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-20 11:46 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^Alex Yang^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
backup=C:\WINDOWS\pss\DualCoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-03-12 07:56 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 17:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 2007-09-07 14:44 3100672 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"EventSystem"=3 (0x3)

R2 XilinxPC4Driver;XilinxPC4Driver;C:\WINDOWS\system32\drivers\XPC4DRVR.SYS [2005-02-09 22:11]
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys [2005-02-09 22:11]
S3 XDva011;XDva011;C:\WINDOWS\system32\XDva011.sys []
S4 Mass Effect(TM) Xbox 360;Mass Effect(TM) Xbox 360;"C:\WINDOWS\System32\dllcache\mfxbox.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4897ac2e-1304-11dc-8b54-00179a817a9c}]
\Shell\Auto\command - UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 21:36:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-24 21:39:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-24 13:39:44
ComboFix2.txt 2008-01-23 16:29:58
ComboFix3.txt 2008-01-20 14:44:18

firidia

2008-01-24, 15:45

Pardon the 2nd post, here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:52 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex Yang\Desktop\Computer saving tools\Crustyhjt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.singnet.com.sg:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C67 Series on AMD26-88] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P40 "Auto EPSON Stylus C67 Series on AMD26-88" /O19 "\\AMD26-88\Printer4" /M "Stylus C67"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A7EFEAA-8059-4C69-8FE2-4BA999C3B102} (TrickCtrl Class) - https://ssl2.gcrest.com/trickster/cabs/TrickLauncher.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.com:88/renderer/mabiweb.2005.2.2.cab
O16 - DPF: {A5F3B5CF-A05F-479E-B684-13AA512A7B93} (YGLauncher Control) - http://kr.pubbase.yahoo.com/gamesetup/YGLauncher.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
O16 - DPF: {CD79C574-4775-4A42-A66B-D7071AE095AF} (SlideViewerOcx Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/SlideViewer.cab
O16 - DPF: {F58E877C-4F14-4805-B2D2-EB48927C7580} (NeffyManSpLauncherCtl Class) - http://dist.cdnetworks.co.jp/cdndist/streamport/SPort.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10092 bytes

Shaba

2008-01-24, 15:54

Hi

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

Shaba

2008-01-29, 11:48

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.