PDA

View Full Version : Serious Help Needed - Please REPLY ASAP



crzyon323
2008-02-26, 03:18
Hi i recently reinstalled XP on my computer along with limewire, i downloaded a file opened it n it said the file was corrupt. Next thing i know i have a bunch of pop ups coming up. I noticed a file named Rabco installed on my computer. Can someone help me on removin this file. It would greatly be appreciated. Here is my Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:16:29, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [8c29dfbf] rundll32.exe "C:\WINDOWS\system32\lkncuvpy.dll",b
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3183 bytes

ndmmxiaomayi
2008-02-26, 09:23
Hi,

I would advise that you stop all your P2P activities. Besides putting your computer at risk of infection, a poorly configured P2P client will leak sensitive information as well.

The risks of using a P2P program are stated in this Sourceforge website (http://aresgalaxy.sourceforge.net/p2prisks.htm) and Information Week article (http://www.informationweek.com/security/showArticle.jhtml?articleID=53200209&pgno=2&queryText=).

A list of clean and infected P2P programs can be found at Malware Removal (http://p2p.malwareremoval.com/) and Spyware Info (http://www.spywareinfo.com/articles/p2p/).

Please also read this sticky (http://forums.spybot.info/showthread.php?t=282).

I would also like to see a list of installed programs on your computer before continuing.

Please download and install CCleaner Slim (http://www.ccleaner.com/download/builds/downloading-slim).
Once installed, double click on the desktop shortcut created.
On the leftmost column, click on Tools.
On the middle column, click on Uninstall.
At the bottom right hand corner, click on the Save to text file... button.
By default, it saves this file to C:\Program Files\CCleaner named install.txt. You may want to save it to your desktop to find it easily. Click Save.
Close CCleaner.

Please post back the CCleaner install.txt file in your next reply.

crzyon323
2008-02-26, 14:32
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Video Encoder
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Reader 8.1.2
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
AIM 6
CCleaner (remove only)
Command
HijackThis 2.0.2
Intel(R) Extreme Graphics 2 Driver
Java(TM) 6 Update 4
Kaspersky Anti-Virus 7.0
Mozilla Firefox (2.0.0.12)
Network Monitor
PDF Settings
RABCO
Security Update for Windows XP (KB912812)
SoundMAX
USB 2.0 Wireless LAN Card Utility
Viewpoint Media Player
WebFldrs XP
Winamp
Winamp Remote
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB839210

ndmmxiaomayi
2008-02-26, 17:35
Please download this tool (http://go.microsoft.com/fwlink/?linkid=52012) from Microsoft.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.

crzyon323
2008-02-27, 00:47
Diagnostic Report (1.7.0069.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 76487-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.2.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {CDFB60CE-923D-47F5-8DB5-3CE555C62970}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_16E0B333-156-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2920-80070002_025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{CDFB60CE-923D-47F5-8DB5-3CE555C62970}</UGUID><Version>1.7.0069.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>76487-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-299502267-2077806209-725345543</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 3000 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A02</Version><SMBIOSVersion major="2" minor="3"/><Date>20041108000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>AE3333E70184605C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/></Office></Software></GenuineResults>

ndmmxiaomayi
2008-02-27, 06:22
Hi,

Step 1

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download Combofix from Bleeping Computer (http://download.bleepingcomputer.com/sUBs/ComboFix.exe). Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware (http://www.forospyware.com/sUBs/ComboFix.exe)
Geeks to Go (http://subs.geekstogo.com/ComboFix.exe)

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 2

Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Locate Command and click on Edit uninstall command button. Copy and paste this to a Notepad file and save it.
Repeat for PDF Settings. Please post the 2 uninstall commands of these 2 programs in your next reply.

In your next reply, please post:

Combofix log (C:\Combofixt.txt)
The uninstall commands of the 2 programs
A new HijackThis log

crzyon323
2008-02-28, 01:27
There was no "Command" in the list that on HiJackThis

Here is the PDF Setting Uninstall Command:
MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}

Here is the Combofix & Hijackthis:

ComboFix 08-02-25.3 - Administrator 2008-02-27 7:48:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.176 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\c.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\svchost.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\Fonts\-
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\byxyyvv.dll
C:\WINDOWS\system32\czobidkb.dllbox
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\knbqltfs.dll
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qqoffbjy.dll
C:\WINDOWS\system32\ryjnhqsu.dll
C:\WINDOWS\system32\sftlqbnk.ini
C:\WINDOWS\system32\vtusqqp.dll
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\ypvucnkl.ini
C:\WINDOWS\uninstall_nmon.vbs
C:\winlogon.exe
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-26 22:21 . 2008-02-26 22:21 <DIR> d-------- C:\Program Files\IrfanView
2008-02-26 21:37 . 2008-02-26 21:38 <DIR> d-------- C:\Program Files\MagicISO
2008-02-26 18:06 . 2008-02-26 21:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-02-26 17:42 . 2008-02-26 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-26 07:31 . 2008-02-26 07:31 <DIR> d-------- C:\Program Files\CCleaner
2008-02-26 01:20 . 2008-02-26 01:20 <DIR> d-------- C:\WINDOWS\Sun
2008-02-25 19:46 . 2008-02-27 08:39 163,904 --a------ C:\WINDOWS\system32\vlhxbxjv.dll
2008-02-25 07:28 . 2008-02-25 07:28 260 --a------ C:\4756.bat
2008-02-25 04:00 . 2008-02-25 04:00 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-25 04:00 . 2008-02-25 04:00 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-25 03:58 . 2008-02-25 03:58 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-25 03:58 . 2008-02-27 08:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-25 03:58 . 2008-02-27 08:44 1,146,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-25 03:58 . 2008-02-27 08:44 59,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-25 03:58 . 2008-02-27 08:40 12,092 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-25 03:58 . 2008-02-27 08:40 6,620 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-25 03:57 . 2008-02-25 03:57 <DIR> d-------- C:\kav
2008-02-25 03:34 . 2008-02-25 03:37 <DIR> d-------- C:\Photos
2008-02-25 03:28 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-24 23:09 . 2008-02-24 23:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-02-24 23:07 . 2008-02-24 23:07 <DIR> d-------- C:\Program Files\Viewpoint
2008-02-24 23:07 . 2008-02-24 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-24 23:06 . 2008-02-24 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-24 23:06 . 2008-02-24 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-02-24 23:05 . 2008-02-24 23:05 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-02-24 23:05 . 2008-02-24 23:07 <DIR> d-------- C:\Program Files\AIM6
2008-02-24 23:05 . 2008-02-24 23:07 482 --ah----- C:\IPH.PH
2008-02-24 23:03 . 2008-02-24 23:03 <DIR> d-------- C:\Program Files\QuickTime
2008-02-24 23:01 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-02-24 23:01 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-02-24 22:34 . 2008-02-24 22:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 22:14 . 2008-02-24 22:14 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-24 22:11 . 2008-02-25 07:35 <DIR> d--hs---- C:\WINDOWS\QmxhcU91dCBFbnQu
2008-02-24 22:11 . 2008-02-24 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 22:11 . 2008-02-24 22:11 40,960 --a------ C:\Documents and Settings\Administrator\f.exe
2008-02-24 22:11 . 2008-02-24 22:11 134 --a------ C:\n.bat
2008-02-24 22:10 . 2008-02-24 22:10 <DIR> d-------- C:\WINDOWS\system32\xb8
2008-02-24 22:10 . 2008-02-25 07:30 <DIR> d-------- C:\WINDOWS\system32\to2
2008-02-24 22:10 . 2008-02-25 07:28 <DIR> d-------- C:\WINDOWS\system32\ff3
2008-02-24 22:10 . 2008-02-24 22:10 <DIR> d-------- C:\WINDOWS\system32\cms4
2008-02-24 22:10 . 2008-02-27 08:05 <DIR> d-------- C:\Temp
2008-02-24 21:31 . 2008-02-25 19:11 1,681 --a------ C:\WINDOWS\mozver.dat
2008-02-24 21:28 . 2008-02-24 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-24 21:20 . 2008-02-24 21:20 <DIR> d-------- C:\Program Files\Bonjour
2008-02-24 21:14 . 2008-02-24 21:14 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-02-24 21:12 . 2008-02-24 22:59 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-24 21:05 . 2008-02-24 21:05 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-24 21:05 . 2008-02-24 21:05 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-24 21:05 . 2001-10-04 14:50 991,232 --a------ C:\WINDOWS\system32\virtear.dll
2008-02-24 21:05 . 2001-09-19 12:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-24 21:05 . 2004-09-17 09:02 732,928 --a------ C:\WINDOWS\system32\drivers\senfilt.sys
2008-02-24 21:05 . 2004-09-23 07:55 311,296 --a------ C:\WINDOWS\system32\Edcrypt.dll
2008-02-24 21:05 . 2005-01-27 15:31 260,352 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-24 21:05 . 2003-08-19 18:36 65,536 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-24 21:05 . 2004-11-19 10:00 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-24 21:05 . 2002-04-17 14:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-24 21:05 . 2004-10-05 16:10 23,040 --a------ C:\WINDOWS\system32\PostProc.dll
2008-02-24 20:57 . 2008-02-24 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-02-24 20:56 . 2008-02-24 20:59 <DIR> d-------- C:\Program Files\Winamp Remote
2008-02-24 20:54 . 2008-02-24 20:58 <DIR> d-------- C:\Program Files\Winamp
2008-02-24 20:54 . 2008-02-24 20:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Winamp
2008-02-24 20:50 . 2008-02-25 18:43 <DIR> d-------- C:\My Music
2008-02-24 20:50 . 2008-02-25 03:50 <DIR> d-------- C:\Incomplete
2008-02-24 20:49 . 2008-02-24 20:49 <DIR> d-------- C:\Program Files\Java
2008-02-24 20:49 . 2008-02-25 04:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-02-24 20:49 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-24 20:47 . 2008-02-24 20:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-24 20:38 . 2008-02-24 20:38 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-24 20:36 . 2004-02-10 11:50 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-02-24 20:00 . 2008-02-24 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prism
2008-02-24 19:59 . 2008-02-24 21:05 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-02-24 19:59 . 2008-02-24 19:59 <DIR> d-------- C:\Program Files\Dell Wireless
2008-02-24 19:59 . 2008-02-24 19:59 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-02-24 19:59 . 2006-10-26 12:22 1,396,827 -ra------ C:\WINDOWS\system32\PRISME5.dll
2008-02-24 19:59 . 2006-10-12 09:42 450,649 -ra------ C:\WINDOWS\system32\PRISMAPI.dll
2008-02-24 19:59 . 2006-10-12 09:44 385,113 -ra------ C:\WINDOWS\system32\PRISMSVR.exe
2008-02-24 19:59 . 2006-10-26 12:22 357,344 -ra------ C:\WINDOWS\system32\drivers\PRISMA02.sys
2008-02-24 19:59 . 2006-10-12 09:45 61,529 -ra------ C:\WINDOWS\system32\PRISMSVC.exe
2008-02-24 19:59 . 2006-10-26 12:22 49,152 -ra------ C:\WINDOWS\system32\StopSrvr.exe
2008-02-24 19:59 . 2006-10-27 18:05 49,152 -ra------ C:\WINDOWS\system32\CoPrism.dll
2008-02-24 19:59 . 2006-10-26 12:22 20,747 -ra------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 09:11 118,222 ----a-w C:\WINDOWS\Fonts\x.zip
2008-02-22 22:54 --------- d-----w C:\Program Files\microsoft frontpage
2005-07-29 21:24 472 --sha-r C:\WINDOWS\QmxhcU91dCBFbnQu\kAU1wo6YxF1IvBkR.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
C:\Program Files\RABCO\RABCO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{218A4EE1-F2EC-471E-B8A3-BB61A6CEE946}]
C:\WINDOWS\system32\gebyv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 11:51 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2008-02-24 19:59:54 921707]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
PRISMAPI.DLL 2006-10-12 09:42 450649 C:\WINDOWS\system32\PRISMAPI.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Documents and Settings\\Administrator\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE [2006-10-12 09:45]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 08:44:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-27 9:08:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-27 13:47:53



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:15:55, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll (file missing)
O2 - BHO: (no name) - {218A4EE1-F2EC-471E-B8A3-BB61A6CEE946} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3451 bytes

ndmmxiaomayi
2008-02-28, 10:29
Hi,

Before I continue, Combofix has removed some files which are signs of passwords being stolen.

Here are the files which I mentioned above:


C:\x.dat
C:\z.dat

I highly recommend that you reformat and reinstall your computer, because there's a chance that it has been compromised.

Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, please let me know.

Here are some things to read about:

What are Remote Access Trojans and why are they dangerous (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx)
How do I respond to a possible identity theft and how do I prevent it (http://www.dslreports.com/faq/10451)
When should do a reformat and reinstallation of my OS (http://www.dslreports.com/faq/10063)
Where to backup your files (http://www.microsoft.com/athome/security/update/wherebackup.mspx)
How to backup your files in Windows XP (http://www.microsoft.com/athome/security/update/howbackup.mspx)
Restoring your backups (http://support.microsoft.com/kb/309340)

Not only so, passwords may have been stolen.

If you do online banking, please keep a close eye on your bank statements for anything suspicious. Call up the bank if the statements look fishy.

Also, you need to change all your passwords from another clean computer.

Please let me know your decision. Thanks.

crzyon323
2008-02-29, 15:47
If we continue with the cleanup will the virus be wipped out of my system or will it still be on there? I just recently reinstalled windows after a previous virus. I havent dont anything serious as far as password information, just myspace and aim. If the process will get rid of everything i will continue.

ndmmxiaomayi
2008-02-29, 16:22
There's no guarantee for such issues. We can fix certain things (remove bad files and fix known bad registry entries), but we don't know what in Windows has been modified when the computer is infected.

ndmmxiaomayi
2008-03-06, 18:04
Hello,

May I know your decision.

Thanks.