PDA

View Full Version : Win32.Agent.bgy Win32.Bagle.pd


Yairp
2008-05-19, 23:11
Hi and thanks in advance for any help.

I use Spybot and several days ago in a scan I detected Win32.Agent.bgy registry entry. I removed it and it was back. I removed it in safe mode and it was back. I read too little on this forum yesterday and ran Combofix (it deleted 4 files), then realized my error and read the "read this BEFORE you post" post and followed it today.

KOS found 2 items - 4 different instances of Win32.Bagle.pd that were in different locations and 2 instances of P2P-worm.Win32.Kapucen.b that were in the Norton Quarantine directory.

I ran Spybot in safe mode on the admin account and found nothing, ran it again on the owner account and found the Agent again, removed it and ran again and it came up clean, but I'm sure that now that I've rebooted the system it will be there again.

I copy / paste below the HJT log, the KOS log and the CF report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50:24, on 19/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzit.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk.disabled
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188127250468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} (RemoteCfg Class) - http://www.012.net/securemail/auto/fwTechTool.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC101D23-7C48-4E05-A199-A3D3E5B4D27B}: NameServer = 84.95.14.250,212.116.161.38
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9377 bytes

Now the KOS report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 9:43:05 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 785155
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 157824
Number of viruses found: 4
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:39:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-19_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\081340DC.tmp Infected: P2P-Worm.Win32.Kapucen.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\461141D9.exe Infected: P2P-Worm.Win32.Kapucen.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\DC89164E.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\yairpel@yahoo.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\yairpel@yahoo.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\yairpel@yahoo.com\SharingMetadata\Working\database_4038_1F50_381F_43F6\dfsr.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\yairpel@yahoo.com\SharingMetadata\Working\database_4038_1F50_381F_43F6\fsr.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\yairpel@yahoo.com\SharingMetadata\Working\database_4038_1F50_381F_43F6\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\yairpel@yahoo.com\SharingMetadata\Working\database_4038_1F50_381F_43F6\tmp.edb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\yairpel@yahoo.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\yairpel@yahoo.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA396.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA3B0.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFC3F.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFC72.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Windows Media Player\wmpnscfg.exe Infected: Trojan-Downloader.Win32.Bagle.pd skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\launcher.ocx.vir Infected: not-a-virus:AdWare.Win32.I2ISolutions.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mdelk.exe.vir Infected: Trojan-Downloader.Win32.Bagle.pd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP673\A0342951.exe Infected: Trojan-Downloader.Win32.Bagle.pd skipped
C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\A0345069.exe Infected: Trojan-Downloader.Win32.Bagle.pd skipped
C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptddrv1.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\basic install files\mirc62.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\basic install files\mirc62.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\basic install files\mirc62.exe NSIS: infected - 2 skipped
D:\Downloads\eMule\Incoming\שונות\eMusic_Tag_Editor_2.80_Cracked.zip/eMusic_Tag_Editor_2.80_Cracked.exe Infected: Trojan-Downloader.Win32.Bagle.pd skipped
D:\Downloads\eMule\Incoming\שונות\eMusic_Tag_Editor_2.80_Cracked.zip ZIP: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP676\A0343995.exe Infected: Trojan-Downloader.Win32.Bagle.pd skipped

Scan process completed.

And now the CF report

ComboFix 08-05-15.3 - Owner 05/18/2008 20:05:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.1.1037.18.554 [GMT 3:00]
Running from: C:\Documents and Settings\Owner\שולחן העבודה\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\launcher.ocx
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 17:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-18 15:27 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-18 04:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-11 18:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 18:34 --------- d-----w C:\Program Files\GameSpy
2008-05-09 17:38 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-09 17:38 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-09 17:38 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-09 17:38 --------- d-----w C:\Program Files\Symantec
2008-05-09 17:31 96,256 ----a-w C:\WINDOWS\system32\drivers\sptddrv1.sys
2008-05-08 18:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-08 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-08 18:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\GameHouse
2008-05-08 16:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2008-05-08 05:56 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-07 19:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-05-07 18:04 --------- d-----w C:\Program Files\Java
2008-04-21 10:52 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2008-04-21 10:52 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2008-04-21 10:52 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2008-04-21 10:52 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2008-04-21 10:52 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2008-04-21 10:52 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2008-04-21 10:52 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-04-21 10:52 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-04-21 10:52 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2008-04-21 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 09:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-18 04:29 --------- d-----w C:\Program Files\Live_TV
2008-04-16 19:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Babylon
2008-04-16 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-04-06 19:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2008-03-30 17:31 --------- d-----w C:\Program Files\DivX
2008-03-30 17:29 --------- d-----w C:\Program Files\Apple Software Update
2008-03-30 17:27 --------- d-----w C:\Program Files\ICQLite
2008-03-27 19:16 --------- d-----w C:\Program Files\mIRC
2008-03-26 17:18 --------- d-----w C:\Program Files\Compedia
2008-03-25 19:05 --------- d-----w C:\Program Files\FlashGet
2008-03-25 19:04 --------- d-----w C:\Program Files\BoringCQ
2007-05-13 17:24 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-05-13 17:24 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-05-13 17:24 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-05-13 17:24 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-05-13 17:24 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-05-13 17:24 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-05-13 17:24 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-05-13 17:24 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-05-13 17:24 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 03:00 PM 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM 1694208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [04/13/2005 01:01 AM 704512]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM 2097488]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 12:34 PM 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [06/28/2006 04:42 PM 106496]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/04/2005 05:39 PM 461584]
"SoundMan"="SOUNDMAN.EXE" [11/17/2006 06:42 AM 577536 C:\WINDOWS\soundman.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [12/20/2004 06:12 PM 131072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM 8523776]
"nwiz"="nwiz.exe" [12/05/2007 02:41 AM 1626112 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM 286720]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 02:41 AM 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM 144784]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 10:11 AM 771704]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 08:59 AM 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 03:00 PM 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Lexmark 2200 Series"="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Games\\Civ4\\Civilization4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Games\\Civ4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Games\\Civ4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys [06/27/2006 03:24 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 17:00:00 C:\WINDOWS\Tasks\Norton Internet Security Online - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 20:09:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 05/18/2008 20:18:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 17:18:21

Pre-Run: 1,174,011,904 bytes free
Post-Run: 2,527,027,200 bytes free

163 --- E O F --- 2008-05-16 21:45:31

Any help will be appreciated very much as I don't want this system to crash and burn.

Thanks,
Yairp
Rorschach112
2008-05-19, 23:29
Hello

You got infected cause you downloaded cracks


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Downloads\eMule\Incoming\שונות\eMusic_Tag_Editor_2.80_Cracked.zip
E:\autorun.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

SysRst::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
Yairp
2008-05-20, 20:15
Did as instructed, here are the results.
Can I go back to working on the computer?

Result: 3 malware found
Client-IRC.Win32.mIRC (spyware)

* System

P2P-Worm.Win32.Kapucen.b (virus)

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\461141D9.EXE (Renamed & Submitted)

Tracking Cookie (spyware)

* System
Rorschach112
2008-05-20, 21:01
Post the ComboFix log
Yairp
2008-05-20, 21:09
ComboFix 08-05-15.3 - Owner 05/20/2008 18:05:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.1.1037.18.519 [GMT 3:00]
Running from: C:\Documents and Settings\Owner\שולחן העבודה\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\שולחן העבודה\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Downloads\eMule\Incoming\שונות\eMusic_Tag_Editor_2.80_Cracked.zip
E:\autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\WINDOWS\system32\drivers\downld
D:\Downloads\eMule\Incoming\שונות\eMusic_Tag_Editor_2.80_Cracked.zip
E:\autorun.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 19:50 --------- d-----w C:\Program Files\Trend Micro
2008-05-19 18:49 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-19 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-19 16:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-19 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 18:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 18:34 --------- d-----w C:\Program Files\GameSpy
2008-05-09 17:38 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-09 17:38 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-09 17:38 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-09 17:38 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-09 17:38 --------- d-----w C:\Program Files\Symantec
2008-05-09 17:31 96,256 ----a-w C:\WINDOWS\system32\drivers\sptddrv1.sys
2008-05-08 18:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-08 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-08 18:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\GameHouse
2008-05-08 16:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2008-05-08 05:56 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-07 19:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-05-07 18:04 --------- d-----w C:\Program Files\Java
2008-04-21 10:52 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2008-04-21 10:52 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2008-04-21 10:52 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2008-04-21 10:52 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2008-04-21 10:52 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2008-04-21 10:52 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2008-04-21 10:52 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-04-21 10:52 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-04-21 10:52 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2008-04-21 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 09:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-18 04:29 --------- d-----w C:\Program Files\Live_TV
2008-04-16 19:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Babylon
2008-04-16 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-04-14 02:17 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-04-06 19:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2008-03-30 17:31 --------- d-----w C:\Program Files\DivX
2008-03-30 17:29 --------- d-----w C:\Program Files\Apple Software Update
2008-03-30 17:27 --------- d-----w C:\Program Files\ICQLite
2008-03-27 19:16 --------- d-----w C:\Program Files\mIRC
2008-03-26 17:18 --------- d-----w C:\Program Files\Compedia
2008-03-25 19:05 --------- d-----w C:\Program Files\FlashGet
2008-03-25 19:04 --------- d-----w C:\Program Files\BoringCQ
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 158,496 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:10 1,845,120 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:10 1,845,120 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-05 13:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 13:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 13:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 12:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 12:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-05 10:47 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:35 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2007-05-13 17:24 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-05-13 17:24 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-05-13 17:24 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-05-13 17:24 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-05-13 17:24 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-05-13 17:24 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-05-13 17:24 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-05-13 17:24 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-05-13 17:24 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@Sun 05-18-2008_20.17.16.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 17:09:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 15:08:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 09:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 12:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 12:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

05/18/2008 08:18 PM 961 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegBHO-Global.reg
05/08/2008 08:57 AM 1104 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP663\A0335351.reg
05/08/2008 06:33 PM 1104 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\A0345090.reg

05/19/2008 07:36 PM 18121 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDPF-Global.reg
05/07/2008 09:04 PM 17325 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP663\A0335350.reg
05/08/2008 06:33 PM 17325 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\A0345143.reg

05/18/2008 08:12 PM 277 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP3-Global.reg
05/08/2008 06:33 PM 217 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\A0345085.reg

05/18/2008 08:12 PM 81 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBTB1-Global.reg
05/08/2008 08:57 AM 137 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP663\A0335352.reg
05/08/2008 06:33 PM 137 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\A0345081.reg

05/18/2008 08:04 PM 114 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGCP-Global.reg
05/08/2008 06:33 PM 87 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP678\A0345063.reg

05/16/2008 11:00 PM 1296 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS1-Global.reg
05/08/2008 08:57 AM 1516 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP662\A0335306.reg
05/16/2008 09:12 AM 1296 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP676\A0344966.reg

05/08/2008 06:33 PM 205 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS1SM-Global.reg
05/07/2008 09:53 PM 205 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP663\A0335349.reg

05/20/2008 06:04 PM 86 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS2-Global.reg
05/08/2008 08:46 AM 86 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP663\A0335354.reg
05/14/2008 11:21 PM 86 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\A0345191.reg

05/09/2008 08:33 PM 180 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS3SM-Global.reg
05/08/2008 06:33 PM 205 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP664\A0339606.reg

05/08/2008 06:33 PM 7259 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGWLN-Global.reg
05/07/2008 09:52 PM 7259 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP663\A0335348.reg

05/18/2008 08:12 PM 285 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP2a-Owner.reg
05/08/2008 06:33 PM 265 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\A0345084.reg

05/08/2008 06:33 PM 4102 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBTB1-Owner.reg
05/07/2008 10:28 PM 2280 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP662\A0335335.reg
05/08/2008 09:33 AM 4102 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP663\A0335353.reg

05/18/2008 08:12 PM 235 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUNTCVW-Owner.reg
05/08/2008 06:33 PM 208 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP679\A0345086.reg

05/14/2008 07:37 AM 435 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS1-Owner.reg
{C895595A-BBB0-47B4-A182-8C597691B07E}\RP667\A0341035.regC:\WINDOWS\assembly\temp\8IPW3AHOV2\Microsoft.DirectX.Direct3DX.dll
05/12/2008 09:51 PM 350 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP673\A0342933.reg

05/11/2008 09:34 PM 85 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS2-Owner.reg
05/07/2008 09:57 PM 85 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP663\A0335341.reg
05/09/2008 10:29 AM 85 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP667\A0341026.reg

C:\Documents and Settings\All Users\Application Data\Symantec\COHLU.reg
02/29/2008 01:32 PM 403 {C895595A-BBB0-47B4-A182-8C597691B07E}\RP664\A0339620.reg

C:\Documents and Settings\All Users\Application
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 03:00 PM 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM 1694208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM 2097488]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 12:34 PM 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [06/28/2006 04:42 PM 106496]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/04/2005 05:39 PM 461584]
"SoundMan"="SOUNDMAN.EXE" [11/17/2006 06:42 AM 577536 C:\WINDOWS\soundman.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [12/20/2004 06:12 PM 131072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM 8523776]
"nwiz"="nwiz.exe" [12/05/2007 02:41 AM 1626112 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM 286720]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 02:41 AM 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM 144784]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 10:11 AM 771704]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 08:59 AM 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 03:00 PM 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Lexmark 2200 Series"="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Games\\Civ4\\Civilization4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Games\\Civ4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Games\\Civ4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys [06/27/2006 03:24 PM]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 17:00:00 C:\WINDOWS\Tasks\Norton Internet Security Online - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 18:08:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 05/20/2008 18:17:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 15:17:53
ComboFix2.txt 2008-05-18 17:18:26

Pre-Run: 2,557,591,552 bytes free
Post-Run: 3,116,634,112 bytes free

237 --- E O F --- 2008-05-16 21:45:31
Rorschach112
2008-05-20, 21:14
Hello

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.



Also post a new HijackThis log and tell me how your PC is running
Rorschach112
2008-05-20, 21:15
Sorry, also do this


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


KillAll::

File::

Folder::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"=-

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Yairp
2008-05-20, 21:23
OK, on my way, will let you know when it finishes
Rorschach112
2008-05-20, 21:38
Ok :)

Good luck
Yairp
2008-05-20, 22:25
Can't download cure-it - tried it several times, both from your link and from their site.

The download starts very slowly - 1K/sec to 10K/sec and cuts off after about 10 minutes saying that the source is unreachable.

Shall I proceed with the rest of the instructions or do you have some other program that I can download instead?
Or maybe try them again in the early morning when maybe they are less busy?
Rorschach112
2008-05-20, 22:41
Go on with the rest of the instructions, and do this

Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Yairp
2008-05-21, 07:23
Ok, Managed to download cure-it and it is now running.
I will post results in the evening.
Thanks.

Yairp
Rorschach112
2008-05-21, 13:46
Ok lets see what that shows

Do the other steps as well
Yairp
2008-05-21, 19:32
Ok, run Cure-it, CFscript and HJT.
Had warning from Teatimer that the so called window media exe was trying to re-establish it self in the startup list and I denied it.
Other then that, the computer start up has been ok, I haven't done anything else with the computer these past few days so I don't know if the rest is ok.
I will try several things later on and see how it goes.

Anyway, here are the reports

Cureit report
RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
081340DC.tmp;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Win32.HLLW.Puce;Deleted.;
461141D9.0XE;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Win32.HLLW.Puce;Deleted.;
nppopcaploader.dll;C:\Program Files\Mozilla Firefox\plugins;Program.PopcapLoader.origin;Incurable.Deleted.;
nppopcaploader.dll;C:\Program Files\Mozilla Thunderbird\plugins;Program.PopcapLoader.origin;Incurable.Deleted.;
Uninstall.exe;C:\Program Files\PopCap Games\PopCap Browser Plugin;Program.PopcapLoader.origin;Incurable.Deleted.;
launcher.ocx.vir;C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files;Adware.I2ISolutions;Incurable.Deleted.;
A0345095.EXE;C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP679;Program.PsExec.170;Incurable.Deleted.;
A0345104.bat;C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP679;Probably SCRIPT.Virus;Incurable.Deleted.;
A0345219.EXE;C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP680;Program.PsExec.170;Incurable.Deleted.;
A0345228.bat;C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP680;Probably SCRIPT.Virus;Incurable.Deleted.;
A0345255.exe;C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP680;Program.mIRC.60;Incurable.Deleted.;
A0345257.exe;C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP680;Win32.HLLW.Puce;Deleted.;
A0346260.reg;C:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP680;Trojan.StartPage.1505;Deleted.;
PopCapPluginInstaller.exe;D:\basic install files;Program.PopcapLoader.origin;Incurable.Deleted.;
installer-24030-19-Cool-Edit-Pro-2-1-English.exe;D:\Downloads\תוכנות + שונות;Trojan.Click.origin;Incurable.Moved.;
A0346261.exe;D:\System Volume Information\_restore{C895595A-BBB0-47B4-A182-8C597691B07E}\RP680;Trojan.Click.origin;Incurable.Moved.;


ComboFix report
ComboFix 08-05-15.3 - Owner 05/21/2008 19:12:54.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.1.1037.18.511 [GMT 3:00]
Running from: C:\Documents and Settings\Owner\שולחן העבודה\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\שולחן העבודה\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 16:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-20 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-20 19:34 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-20 16:54 --------- d-----w C:\Program Files\mIRC
2008-05-19 19:50 --------- d-----w C:\Program Files\Trend Micro
2008-05-19 16:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 18:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 18:34 --------- d-----w C:\Program Files\GameSpy
2008-05-09 17:38 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-09 17:38 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-09 17:38 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-09 17:38 --------- d-----w C:\Program Files\Symantec
2008-05-09 17:31 96,256 ----a-w C:\WINDOWS\system32\drivers\sptddrv1.sys
2008-05-08 18:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-08 18:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-08 18:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\GameHouse
2008-05-08 16:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2008-05-08 05:56 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-07 19:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-05-07 18:04 --------- d-----w C:\Program Files\Java
2008-04-21 10:52 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2008-04-21 10:52 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2008-04-21 10:52 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2008-04-21 10:52 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2008-04-21 10:52 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2008-04-21 10:52 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2008-04-21 10:52 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-04-21 10:52 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-04-21 10:52 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2008-04-21 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 09:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-18 04:29 --------- d-----w C:\Program Files\Live_TV
2008-04-16 19:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Babylon
2008-04-16 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-04-06 19:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2008-03-30 17:31 --------- d-----w C:\Program Files\DivX
2008-03-30 17:29 --------- d-----w C:\Program Files\Apple Software Update
2008-03-30 17:27 --------- d-----w C:\Program Files\ICQLite
2008-03-26 17:18 --------- d-----w C:\Program Files\Compedia
2008-03-25 19:05 --------- d-----w C:\Program Files\FlashGet
2008-03-25 19:04 --------- d-----w C:\Program Files\BoringCQ
2007-05-13 17:24 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2007-05-13 17:24 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2007-05-13 17:24 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2007-05-13 17:24 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2007-05-13 17:24 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2007-05-13 17:24 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2007-05-13 17:24 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2007-05-13 17:24 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2007-05-13 17:24 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@Sun 05-18-2008_20.17.16.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 17:09:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 16:17:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 12:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 12:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 13:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 12:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2005-05-24 09:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 12:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 12:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/27/2004 03:00 PM 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM 2097488]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 12:34 PM 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [06/28/2006 04:42 PM 106496]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/04/2005 05:39 PM 461584]
"SoundMan"="SOUNDMAN.EXE" [11/17/2006 06:42 AM 577536 C:\WINDOWS\soundman.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [12/20/2004 06:12 PM 131072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM 8523776]
"nwiz"="nwiz.exe" [12/05/2007 02:41 AM 1626112 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM 286720]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 02:41 AM 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM 144784]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 10:11 AM 771704]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 08:59 AM 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/27/2004 03:00 PM 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Lexmark 2200 Series"="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Games\\Civ4\\Civilization4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Games\\Civ4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Games\\Civ4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys [06/27/2006 03:24 PM]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 17:00:00 C:\WINDOWS\Tasks\Norton Internet Security Online - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 19:18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 05/21/2008 19:25:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 16:25:14
ComboFix2.txt 2008-05-20 15:17:57
ComboFix3.txt 2008-05-18 17:18:26

Pre-Run: 2,831,990,784 bytes free
Post-Run: 3,143,192,576 bytes free

171 --- E O F --- 2008-05-16 21:45:31


HJT report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:27:52, on 21/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzit.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk.disabled
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188127250468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} (RemoteCfg Class) - http://www.012.net/securemail/auto/fwTechTool.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC101D23-7C48-4E05-A199-A3D3E5B4D27B}: NameServer = 84.95.14.250,212.116.161.38
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9514 bytes
Rorschach112
2008-05-21, 19:39
Hello

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.





1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Reboot and post a new HijackThis log and tell me how your PC is running
Yairp
2008-05-21, 20:14
Hi,

The computer seem to be going ok.
There is only one thing that has been going on since I started these fixing procedures, but I count it minor - my Norton Internet Security appears with a problem marker and when I look at it it says that phishing protection is turned off and when I try to fix it it shows an error and direct me to the site of symantec support.
I count this as minor as for now it is not hindering the very little I do with the computer and also I have the original install files to use if all goes bad, so *shrug* I don't think it will be a problem for long.

Other than that the computer seem to be going ok. I will try a few programs and games later on and see how they react.

here is the latest HJT report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:06:44, on 21/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzit.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk.disabled
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188127250468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} (RemoteCfg Class) - http://www.012.net/securemail/auto/fwTechTool.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher39.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC101D23-7C48-4E05-A199-A3D3E5B4D27B}: NameServer = 84.95.14.250,212.116.161.38
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9161 bytes


And thanks again for all the help :2thumb:
Rorschach112
2008-05-21, 22:45
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.
Yairp
2008-05-21, 23:58
Thank YOU for your patience and great help!!

I always enjoy working with people who know their stuff.

Thumbs up mate!
Rorschach112
2008-05-22, 00:20
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.