PDA

View Full Version : pleas help me get rid of virtumonde



drblack12
2008-05-18, 21:58
hi everyone, i hope u can help me to get my sistem back normal, i read before you post, here's my

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:58 PM, on 5/18/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\orlando\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\orlando\AppData\Local\Temp\efcAQJbA.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BM3226382d] Rundll32.exe "C:\Users\orlando\AppData\Local\Temp\fclkfgox.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Estadísticas del componente Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7284 bytes

KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 1:29:37 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/05/2008
Kaspersky Anti-Virus database records: 783219


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 127479
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 01:13:32

Infected Object Name Virus Name Last Action
C:\boot\bcd Object is locked skipped

C:\boot\BCD.LOG Object is locked skipped

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6ba1bcdc353ff0da3555678fef6e3aa1_cd658ccd-d264-4bef-9257-01354cf56d08 Object is locked skipped

C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050241.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008051820080519\index.dat Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\UsrClass.dat{ead00798-fdea-11dc-b2e0-001d724583c7}.TM.blf Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\UsrClass.dat{ead00798-fdea-11dc-b2e0-001d724583c7}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows\UsrClass.dat{ead00798-fdea-11dc-b2e0-001d724583c7}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows Live Contacts\drblack12@hotmail.com\real\members.stg Object is locked skipped

C:\Users\orlando\AppData\Local\Microsoft\Windows Live Contacts\drblack12@hotmail.com\shadow\members.stg Object is locked skipped

C:\Users\orlando\AppData\Local\Temp\NeroDemo12072\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Users\orlando\AppData\Local\Temp\~DF2F5A.tmp Object is locked skipped

C:\Users\orlando\AppData\Local\Temp\~DF2F5F.tmp Object is locked skipped

C:\Users\orlando\AppData\Local\Temp\~DF4284.tmp Object is locked skipped

C:\Users\orlando\AppData\Local\Temp\~DF4289.tmp Object is locked skipped

C:\Users\orlando\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped

C:\Users\orlando\Downloads\nero_7751\Nero-7.7.5.1_esp.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Users\orlando\Downloads\nero_7751\Nero-7.7.5.1_esp.exe RAR: infected - 1 skipped

C:\Users\orlando\NTUSER.DAT Object is locked skipped

C:\Users\orlando\ntuser.dat.LOG1 Object is locked skipped

C:\Users\orlando\ntuser.dat.LOG2 Object is locked skipped

C:\Users\orlando\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\Users\orlando\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\orlando\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\Debug\PASSWD.LOG Object is locked skipped

C:\Windows\Debug\sam.log Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\catroot2\edb.log Object is locked skipped

C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\config\COMPONENTS Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped

C:\Windows\System32\config\DEFAULT Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped

C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped

C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped

C:\Windows\System32\config\RegBack\SAM Object is locked skipped

C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped

C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped

C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped

C:\Windows\System32\config\SAM Object is locked skipped

C:\Windows\System32\config\SAM.LOG1 Object is locked skipped

C:\Windows\System32\config\SAM.LOG2 Object is locked skipped

C:\Windows\System32\config\SECURITY Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped

C:\Windows\System32\config\SOFTWARE Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped

C:\Windows\System32\config\SYSTEM Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped

C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped

C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped

C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped

C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped

C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped

C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped

C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped

C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped

C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped

D:\System Volume Information\Desktop.ini Object is locked skipped

D:\System Volume Information\Folder.htt Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\protect.chinese hong kong Object is locked skipped

D:\System Volume Information\protect.chinese simplified Object is locked skipped

D:\System Volume Information\protect.chinese traditional Object is locked skipped

D:\System Volume Information\protect.czech Object is locked skipped

D:\System Volume Information\protect.danish Object is locked skipped

D:\System Volume Information\protect.dutch Object is locked skipped

D:\System Volume Information\Protect.ed Object is locked skipped

D:\System Volume Information\protect.english Object is locked skipped

D:\System Volume Information\protect.finnish Object is locked skipped

D:\System Volume Information\protect.french Object is locked skipped

D:\System Volume Information\protect.german Object is locked skipped

D:\System Volume Information\protect.greek Object is locked skipped

D:\System Volume Information\protect.hebrew Object is locked skipped

D:\System Volume Information\protect.hungarian Object is locked skipped

D:\System Volume Information\protect.italian Object is locked skipped

D:\System Volume Information\protect.japanese Object is locked skipped

D:\System Volume Information\protect.korean Object is locked skipped

D:\System Volume Information\protect.norwegian Object is locked skipped

D:\System Volume Information\protect.polish Object is locked skipped

D:\System Volume Information\protect.portuguese Object is locked skipped

D:\System Volume Information\protect.portuguese brazilian Object is locked skipped

D:\System Volume Information\protect.russian Object is locked skipped

D:\System Volume Information\protect.spanish Object is locked skipped

D:\System Volume Information\protect.swedish Object is locked skipped

D:\System Volume Information\protect.turkish Object is locked skipped

Scan process completed.

Blade81
2008-05-20, 11:25
Hi

Please uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is all clean.


1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

drblack12
2008-05-23, 04:46
hey, heres my new logs, i have to tell that just after i run combofix, it seems to me that my PC is running normally again, thanks man

ComboFix 08-05-19.4 - orlando 2008-05-20 17:47:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1929 [GMT -6:00]
Running from: C:\Users\orlando\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\system32\KBL.LOG

----- BITS: Possible infected sites -----

hxxp://h30155.www3.hp.com
.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-17 21:40 . 2008-05-17 21:40 0 --a------ C:\Windows\nsreg.dat
2008-05-16 13:56 . 2008-05-20 14:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 09:45 . 2008-05-16 09:45 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-14 14:23 . 2008-05-20 14:35 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-14 14:23 . 2008-05-20 14:35 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-14 13:02 . 2008-02-14 17:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-05-14 13:02 . 2008-02-18 23:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-05-14 13:02 . 2008-02-29 00:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-05-14 13:02 . 2008-02-29 00:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-05-14 13:02 . 2008-02-29 00:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-05-14 13:02 . 2008-02-29 00:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-05-14 13:02 . 2008-02-29 00:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-05-14 13:02 . 2008-02-29 00:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-05-14 13:02 . 2008-02-29 00:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-05-11 15:09 . 2008-05-11 16:29 <DIR> d-------- C:\Temp
2008-05-07 09:27 . 2008-05-07 09:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-02 16:04 . 2008-05-02 16:04 <DIR> d-------- C:\Users\orlando\AppData\Roaming\WildTangent
2008-05-02 09:17 . 2008-05-15 21:23 <DIR> d-------- C:\Users\orlando\AppData\Roaming\LimeWire
2008-04-29 21:46 . 2008-04-29 21:59 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 21:45 . 2008-04-29 22:00 <DIR> d-------- C:\Program Files\Windows Live
2008-04-29 21:44 . 2008-04-29 21:44 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-04-29 21:44 . 2008-04-29 21:44 <DIR> d-------- C:\ProgramData\WLInstaller
2008-04-25 12:13 . 2008-04-25 12:13 <DIR> d-------- C:\Users\orlando\AppData\Roaming\Ahead
2008-04-25 12:02 . 2008-04-25 12:02 <DIR> d-------- C:\Users\Public\CyberLink
2008-04-25 12:01 . 2008-04-25 12:01 <DIR> d-------- C:\Users\All Users\Nero
2008-04-25 12:01 . 2008-04-25 12:01 <DIR> d-------- C:\Users\All Users\LightScribe
2008-04-25 12:01 . 2008-04-25 12:01 <DIR> d-------- C:\ProgramData\Nero
2008-04-25 12:01 . 2008-04-25 12:01 <DIR> d-------- C:\ProgramData\LightScribe
2008-04-25 12:01 . 2008-04-25 12:01 <DIR> d-------- C:\Program Files\Nero
2008-04-25 12:01 . 2008-04-25 12:02 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-25 11:19 . 2008-04-25 11:35 96,645 --a------ C:\Windows\System32\drivers\klin.dat
2008-04-25 11:19 . 2008-04-25 11:35 87,941 --a------ C:\Windows\System32\drivers\klick.dat
2008-04-25 11:17 . 2008-05-20 17:52 7,850,784 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-04-25 11:17 . 2008-05-20 14:35 107,144 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-04-25 11:16 . 2008-05-20 14:44 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-04-25 11:16 . 2008-05-20 14:44 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-04-25 11:16 . 2008-04-25 11:16 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-25 10:58 . 2008-04-25 10:58 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-04-25 10:57 . 2008-04-25 10:57 <DIR> d-------- C:\Users\Public\kaspersky 7 0 0 125 español desde kaspersky key 27 02 2009 y serial furty
2008-04-25 10:37 . 2006-10-26 20:58 30,512 --a------ C:\Windows\System32\mdimon.dll
2008-04-25 10:35 . 2008-04-25 10:35 <DIR> d-------- C:\Windows\PCHEALTH
2008-04-25 10:35 . 2008-04-25 10:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-25 10:31 . 2008-04-25 10:31 <DIR> dr-h----- C:\MSOCache
2008-04-25 10:19 . 2008-04-25 11:15 <DIR> d-------- C:\KAV
2008-04-24 21:57 . 2008-04-24 22:04 <DIR> d-------- C:\Users\All Users\AOL
2008-04-24 21:57 . 2008-04-24 22:04 <DIR> d-------- C:\ProgramData\AOL
2008-04-24 21:47 . 2008-02-28 22:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-24 21:47 . 2008-02-20 22:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-24 21:47 . 2007-12-16 05:42 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-24 21:47 . 2007-12-16 05:41 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-24 21:35 . 2008-05-13 18:21 54,503 --a------ C:\Users\orlando\AppData\Roaming\nvModes.dat
2008-04-24 15:55 . 2008-04-24 15:55 <DIR> d-------- C:\Users\orlando\AppData\Roaming\HP
2008-04-24 15:55 . 2008-04-27 17:56 <DIR> d-------- C:\Users\orlando\AppData\Roaming\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 20:08 --------- d-----w C:\Program Files\Windows Mail
2008-05-14 19:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-13 16:09 --------- d-----w C:\ProgramData\CyberLink
2008-05-02 22:09 --------- d-----w C:\ProgramData\WildTangent
2008-04-25 16:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-25 16:14 --------- d-----w C:\ProgramData\Symantec
2008-04-25 15:58 --------- d-----w C:\Program Files\Vongo
2008-04-25 15:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 04:14 --------- d-----w C:\ProgramData\HP
2008-04-25 03:50 --------- d-----w C:\Program Files\HP
2008-04-25 03:47 --------- d-----w C:\Program Files\Yahoo!
2008-04-25 03:43 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-30 04:45 --------- d-----w C:\Users\orlando\AppData\Roaming\Hewlett-Packard
2008-03-30 04:45 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-03-30 04:43 --------- d-----w C:\Users\orlando\AppData\Roaming\Symantec
2008-03-30 04:43 --------- d-----w C:\ProgramData\NVIDIA
2008-03-30 04:09 --------- d-----w C:\ProgramData\Electronic Arts
2008-03-30 04:09 --------- d-----w C:\Program Files\Electronic Arts
2008-03-30 04:02 --------- d-----w C:\Program Files\HPQ
2008-03-30 04:02 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-30 04:00 0 --sha-r C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv2700 Notebook PC_Y5335KV_0U_Q2CE8041JHT_E459208-002_4A_I30D6_SWistron_V81.49_F.14_T071130_WV3-0_L409_M3007_J160_7AMD_8F82_92.10_#071102_N14E44315;10DE054C_(KC463UA#ABA)_XMOBILE_CN10_Z.MRK
2008-03-30 04:00 --------- d-----w C:\Users\orlando\AppData\Roaming\InstallShield
2008-03-30 04:00 --------- d-----w C:\Program Files\Broadcom
2008-03-29 19:23 --------- d-----w C:\Program Files\CONEXANT
2008-03-29 19:05 --------- d-----w C:\Users\orlando\AppData\Roaming\GTek
2008-03-29 18:18 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-29 17:52 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-03-29 17:52 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-03-29 17:52 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-03-29 17:52 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-03-29 17:52 11,264 ----a-w C:\Windows\system32\drivers\wmiacpi.sys
2008-03-29 17:51 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-03-29 17:51 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-03-29 17:51 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-03-29 17:51 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-03-29 17:51 299,008 ----a-w C:\Windows\System32\wlansec.dll
2008-03-29 17:51 289,280 ----a-w C:\Windows\System32\wlanmsm.dll
2008-03-29 17:51 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-03-29 17:51 2,923,520 ----a-w C:\Windows\explorer.exe
2008-03-29 17:51 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-03-29 17:50 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-03-29 17:50 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-03-29 17:46 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-03-29 17:46 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-03-29 17:46 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-03-29 17:46 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-03-29 17:46 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-03-29 17:46 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-03-29 17:44 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-03-29 17:44 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-03-29 17:44 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-03-29 17:44 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-03-29 17:44 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-03-29 17:44 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-03-29 17:44 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-03-29 17:44 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-03-29 17:44 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-03-29 17:43 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-03-29 17:43 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-03-29 17:43 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-29 17:43 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-29 17:43 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-29 17:43 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-03-29 17:43 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-29 17:43 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-29 17:43 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-03-29 17:43 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-29 17:42 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-03-29 17:42 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-03-29 17:42 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-03-29 17:42 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-03-29 17:42 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-03-29 17:41 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-29 17:40 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-03-29 17:38 --------- d-----w C:\Program Files\Java
2008-03-29 17:36 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-03-29 17:06 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-03-29 17:06 43,352 ----a-w C:\Windows\System32\wups2.dll
2008-03-29 17:06 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2008-03-29 17:05 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2008-03-29 17:04 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-03-29 17:04 549,720 ----a-w C:\Windows\System32\wuapi.dll
2008-03-29 17:04 33,624 ----a-w C:\Windows\System32\wups.dll
2008-03-29 17:03 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-03-29 17:03 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2008-03-04 09:34 2,125,312 ----a-w C:\Windows\System32\CnxtAp32.dll
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-11-02 08:26 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}]
2007-08-31 12:32 177504 --a------ c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-29 11:43 1232896]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [ ]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-18 23:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-18 23:05 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-18 23:05 81920]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-07-09 02:11 159744]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-09-30 21:34 181544]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 16:31 202032]
"OnScreenDisplay"="C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 15:54 554320]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-02 01:45 1006264]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 13:51 218376]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 03:45 222208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Users^orlando^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Users\orlando\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\Windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^orlando^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Recorte de pantalla e Inicio rápido de OneNote 2007.lnk]
path=C:\Users\orlando\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recorte de pantalla e Inicio rápido de OneNote 2007.lnk
backup=C:\Windows\pss\Recorte de pantalla e Inicio rápido de OneNote 2007.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\31150bb1]
C:\Users\orlando\AppData\Local\Temp\mtneknxf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-01-15 17:14 147456 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM3226382d]
C:\Users\orlando\AppData\Local\Temp\jpjfuoaf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
--a------ 2008-05-09 22:30 374272 C:\Users\orlando\AppData\Local\Temp\efcAQJbA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-08-23 18:36 455968 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Users\orlando\AppData\Local\Temp\rqRKAQKE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
--------- 2007-08-17 01:13 218408 C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0D1A302D-8F2B-415C-86F9-DA1542419F2D}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D03E6D96-2E82-4B3C-B1C8-48029A001DF0}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{28C3ABFA-31CF-4625-9894-78C32C773282}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4D630C61-B791-4168-9D33-4A64A5F7450F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8F96A033-C107-4059-B309-EF34092D92F5}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{45AEBAB3-743C-4A9F-A278-BA597C8B0134}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{91D340FD-2951-4E5B-87C2-57F25A5923BC}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{97FC2888-0F83-456D-B694-B39264C88932}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{57A55DCB-2730-478E-98EB-6CC3C4E96661}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0AD5B223-8147-4E9A-B40B-8DF3ECAA4298}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7F4D586F-1FB1-4F87-978D-12AB0058D589}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6B521238-947E-4E1F-AA4C-54A6DBF2F3C0}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{941902F6-5AB0-4B01-9F32-2E688A20CFD7}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{65E557C6-5AD2-497A-9BFF-9D3A32CAEE3D}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7E852D08-AEC9-47B6-9198-621930F285FC}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7F2768B6-5563-4464-BABD-E81AE1934828}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 15:59]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-09-30 21:34]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-09-30 21:34]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 07:36]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 03:32]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 12:30]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-15 19:50]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-10-13 00:50]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe" [2007-07-23 17:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e5f8d0c-203e-11dd-bafd-001d724583c7}]
\shell\Auto\Command - debian.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL debian.exe
\shell\CMD\Command - debian.exe
\shell\Explore\Command - debian.exe
\shell\find\command - debian.exe
\shell\Open\command - debian.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e5f8eb2-203e-11dd-bafd-001d724583c7}]
\shell\auto\command - F:\Knight.exe open
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Knight.exe open
\shell\explore\command - F:\Knight.exe open
\shell\find\command - F:\Knight.exe open
\shell\install\command - F:\Knight.exe open
\shell\open\command - F:\Knight.exe open

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 17:52:57
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-20 17:55:03
ComboFix-quarantined-files.txt 2008-05-20 23:54:55

Pre-Run: 89,827,516,416 bytes free
Post-Run: 90,494,828,544 bytes free

290 --- E O F --- 2008-05-16 14:30:26


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:10 PM, on 5/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\orlando\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Estadísticas del componente Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6880 bytes

Blade81
2008-05-23, 07:42
Hi


Start hjt, do a system scan, check:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\Users\orlando\AppData\Local\Temp\efcAQJbA.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\31150bb1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM3226382d]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e5f8d0c-203e-11dd-bafd-001d724583c7}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e5f8eb2-203e-11dd-bafd-001d724583c7}]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).

Blade81
2008-05-29, 20:55
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.