View Full Version : Help--infected with Smitfraud-C and Zeno Search
BronxBoy
2008-05-29, 02:11
Hi-
My laptop has been infected with some bad stuff that I can't get rid of. It causes numerous pop-ups to continually pop-up at a frantic rate. I installed SpyBot and ran it numerous times, and it always comes ends by listing these problems:
-Smitfraud-C.CoreService
(SBI $9C656B9A) Data
C:\\WINDOWS\system32\drivers\core.cache.dsk
-Zeno Search
(SBI $7E6E3149) Text file
C:\\WINDOWS/system32\msnav32.ax
-Zeon Search
(SBI $93386031) Text file
C:\\WINDOWS\system32\zxdnt3d.cfg
However, SpyBot seems unable to get rid of them. It says the problems are fixed, but when I reboot and scan again, they're still there.
I also installed and ran SmitfaudFix, but it hasn't helped either.
I of course want to get rid of them, and I also want to make sure that the bad stuff hasn't gotten into my external hard drive or flash drive (if that's possible).
I'll appreciate anything you can do. Thanks.
I think you missed BEFORE you POST (READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) sticky. ;)
Follow the instructions there and post a fresh hjt log.
BronxBoy
2008-05-30, 09:09
Sorry about that...I'm new to this stuff, and I thought I'd wait for you to ask for something before I sent the wrong thing.
Below is my HJT log. I was also going to send a Kaspersky log, but I can't get all the way through the Kaspersky scan...twice I got to almost 100% of the process (after sitting through it for a couple of hours) and then AOL froze up on me or disconnected and I lost the whole thing. I can't use the wireless connection because that keeps dropping out on me.
Thanks for taking a look at this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:47:26, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\System32\Rundll32.exe
C:\PROGRA~1\COMMON~1\YSTEM3~1\dvdplay.exe
C:\Program Files\Common Files\W?nSxS\?explore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\QdrModule\QdrModule17.exe
c:\windows\system32\jqwnw64j.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25340342-330E-4395-A8B4-5CE97F6BC0D8} - C:\WINDOWS\system32\efcButrR.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56AAAD03-1EF9-4B07-8196-12F1C125F7AD} - C:\WINDOWS\system32\awtrOiJD.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: mysidesearch browser optimizer - {7605204a-1bf2-6b53-2777-53f8a87e9669} - C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {AE6DE148-55F9-2173-FF4E-7AA2E69B4A92} - C:\WINDOWS\system32\xzej.dll
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - C:\WINDOWS\system32\byXQGyab.dll (file missing)
O2 - BHO: (no name) - {DF71DBA4-D312-448B-85AD-B0D5F85D16BD} - C:\WINDOWS\system32\iifgExuV.dll (file missing)
O2 - BHO: gooochi browser optimizer - {fdd7b81d-1edc-978a-e1d9-513b08695f89} - C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [{74-4C-CB-B9-DW}] c:\windows\system32\jqwnw64j.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\tcntaxdn.exe DWram
O4 - HKLM\..\Run: [{c3f670a7-1bb7-5093-12d3-d28162845729}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll" DllStart
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\COMMON~1\YSTEM3~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Dkdtq] "C:\Program Files\Common Files\W?nSxS\?explore.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [QdrModule17] "C:\Program Files\QdrModule\QdrModule17.exe"
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\jqwnw64j.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\jqwnw64j.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jqwnw64j.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.plus2 (HKLM)
O15 - ESC Trusted Zone: *.plus2 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76674D0C-EB84-4025-AE6C-D3FF85E2F124}: Domain = nypd.org
O17 - HKLM\System\CS3\Services\Tcpip\..\{1CE7884D-80C3-47AA-B268-D1CC09462736}: NameServer = 205.188.146.145
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: byXQGyab - byXQGyab.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12395 bytes
--------------------------------------------------------------------------------
Get trade secrets for amazing burgers. Watch "Cooking with Tyler Florence" on AOL Food.
Hi
It's ok. We can try Kaspersky scanner later :)
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
BronxBoy
2008-06-01, 06:36
Hi-
Here's the ComboFix log...HJT log to follow in a few minutes. Thanks, George
ComboFix 08-05-29.1 - NYP 2008-05-31 23:04:39.1 - NTFSx86
Running from: C:\Documents and Settings\NYP\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\NYP\My Documents\STEM32~1
C:\Documents and Settings\NYP\My Documents\YSTEM~1
C:\Documents and Settings\NYP\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\NYP\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\NYP\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\?explore.exe
C:\Program Files\Common Files\ystem3~1
C:\Program Files\Common Files\ystem3~1\?ystem32\
C:\Program Files\Common Files\ystem3~1\dvdplay.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicer.gz
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\mainladupd.exe
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule16.exe
C:\Program Files\QdrModule\QdrModule17.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\dictys.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\Program Files\Spcron
C:\Program Files\Spcron\Spcron.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM5bb47f8a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\DJiOrtwa.ini
C:\WINDOWS\system32\DJiOrtwa.ini2
C:\WINDOWS\system32\drivers\rawwann.sys
C:\WINDOWS\system32\dsigyqlk.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RrtuBcfe.ini
C:\WINDOWS\system32\RrtuBcfe.ini2
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\VuxEgfii.ini
C:\WINDOWS\system32\VuxEgfii.ini2
C:\WINDOWS\system32\x4
C:\WINDOWS\system32\x4\demw136.exe
C:\WINDOWS\system32\xzej.dll
C:\WINDOWS\system32\zxdnt3d.cfg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RAWWANN
-------\Service_rawwann
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.
2008-05-31 23:13 . 2008-05-31 23:13 21 --a------ C:\WINDOWS\system32\zxdnt3d.cfg
2008-05-30 01:46 . 2008-05-30 01:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 01:34 . 2008-05-30 01:34 49,162 --a------ C:\WINDOWS\system32\jqwnw64j.exe
2008-05-30 01:01 . 2008-05-30 01:04 63,918 --a------ C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll-uninst.exe
2008-05-30 01:00 . 2008-05-30 01:01 401,976 --a------ C:\WINDOWS\system32\g29.exe
2008-05-30 00:42 . 2008-05-30 00:42 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-05-30 00:11 . 2008-05-30 00:11 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-05-29 20:59 . 2008-05-29 21:00 200,779 --a------ C:\WINDOWS\system32\rcntrkdm.exe
2008-05-29 20:59 . 2008-05-29 20:59 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-29 20:58 . 2008-05-29 20:59 298,308 --a------ C:\WINDOWS\system32\gside.exe
2008-05-28 23:28 . 2008-05-28 23:28 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 22:25 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 22:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 22:25 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-27 22:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 22:25 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 22:25 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 21:48 . 2008-05-27 21:48 167,976 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-27 19:53 . 2008-05-27 21:32 6,044 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-27 19:43 . 2008-05-27 19:43 200,767 --a------ C:\WINDOWS\system32\tcntaxdn.exe
2008-05-27 19:43 . 2008-05-27 19:43 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-27 09:34 . 2008-05-27 09:34 370,688 --a------ C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
2008-05-25 17:14 . 2008-05-31 22:40 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-05-24 09:14 . 2008-05-31 22:43 54,202 --a------ C:\VETlog.dmp
2008-05-11 00:11 . 2008-05-11 00:11 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-02 10:22 . 2008-05-02 10:22 <DIR> d-------- C:\WINDOWS\rffi
2008-05-02 10:22 . 2008-05-02 15:21 <DIR> d-------- C:\Program Files\Common Files\rffi
2008-05-02 10:12 . 2008-05-02 10:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-02 10:12 . 2008-05-02 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 10:08 . 2008-05-02 10:08 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-02 10:08 . 2008-05-02 10:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 10:07 . 2008-05-02 10:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 08:40 . 2008-05-01 05:40 68,608 --------- C:\WINDOWS\b155.exe_old
2008-05-01 08:00 . 2008-05-01 05:00 273,408 --------- C:\WINDOWS\b148.exe_old
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25340342-330E-4395-A8B4-5CE97F6BC0D8}]
C:\WINDOWS\system32\efcButrR.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56AAAD03-1EF9-4B07-8196-12F1C125F7AD}]
C:\WINDOWS\system32\awtrOiJD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7605204a-1bf2-6b53-2777-53f8a87e9669}]
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
2008-03-27 11:35 333824 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF71DBA4-D312-448B-85AD-B0D5F85D16BD}]
C:\WINDOWS\system32\iifgExuV.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fdd7b81d-1edc-978a-e1d9-513b08695f89}]
2008-05-27 09:34 370688 --a------ C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBM RecordNow!"="" []
"tgcmd"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 14:57 2506752]
"Uahe"="C:\PROGRA~1\COMMON~1\YSTEM3~1\dvdplay.exe" [ ]
"Dkdtq"="C:\Program Files\Common Files\W?nSxS\?explore.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]
"QdrModule17"="C:\Program Files\QdrModule\QdrModule17.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-12 19:41 98304]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 00:50 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 00:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 13:48 147514]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 05:01 110592]
"UC_Start"="C:\IBMTools\Updater\ucstartup.exe" [2003-03-17 19:27 32768]
"TpShocks"="TpShocks.exe" [2003-09-04 03:02 77824 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-02 17:56 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-08-07 19:57 94208]
"TP4EX"="tp4ex.exe" [2002-09-04 05:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"tgcmd"="" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-28 15:11 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-28 15:10 512000]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 03:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-10-11 06:07 53248]
"NAV CfgWiz"="C:\PROGRA~1\NORTON~1\Cfgwiz.exe" [ ]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-07-18 06:02 208896]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 05:04 114741]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 05:34 20480]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-07-11 05:34 94208]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 03:56 380416 C:\WINDOWS\system32\irprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 01:10 335872]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 20:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 12:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-05 09:11 26112]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 18:53 169264]
"{74-4C-CB-B9-DW}"="c:\windows\system32\rwwnw64d.exe" [ ]
"{c3f670a7-1bb7-5093-12d3-d28162845729}"="C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll" [2008-05-27 09:34 370688]
"ExploreUpdSched"="C:\WINDOWS\system32\tcntaxdn.exe" [2008-05-27 19:43 200767]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-03-05 11:14:48 36954]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2005-03-05 11:16:49 229450]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQGyab]
byXQGyab.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-09-11 14:03]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-10-11 06:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-07-11 05:34]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 16:24]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-07-24 17:26]
S3 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2003-10-11 06:07]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23460d10-da2a-11dc-b4f9-00038a000015}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c38c4e0-eea7-11db-b44f-00038a000015}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2004-05-21 07:04:32 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 23:13:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Qoobox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.virft.VC8
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-31 23:18:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 03:18:38
Pre-Run: 16,899,358,720 bytes free
Post-Run: 16,874,016,768 bytes free
258 --- E O F --- 2008-05-16 00:57:31
--------------------------------------------------------------------------------
Get trade secrets for amazing burgers. Watch "Cooking with Tyler Florence" on AOL Food.
BronxBoy
2008-06-01, 06:39
Hi--here's a fresh HJT log. Thanks again for taking the time to check it out.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22:20, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\tcntaxdn.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25340342-330E-4395-A8B4-5CE97F6BC0D8} - C:\WINDOWS\system32\efcButrR.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56AAAD03-1EF9-4B07-8196-12F1C125F7AD} - C:\WINDOWS\system32\awtrOiJD.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: mysidesearch browser optimizer - {7605204a-1bf2-6b53-2777-53f8a87e9669} - C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {DF71DBA4-D312-448B-85AD-B0D5F85D16BD} - C:\WINDOWS\system32\iifgExuV.dll (file missing)
O2 - BHO: gooochi browser optimizer - {fdd7b81d-1edc-978a-e1d9-513b08695f89} - C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [{74-4C-CB-B9-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [{c3f670a7-1bb7-5093-12d3-d28162845729}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll" DllStart
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\COMMON~1\YSTEM3~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Dkdtq] "C:\Program Files\Common Files\W?nSxS\?explore.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [QdrModule17] "C:\Program Files\QdrModule\QdrModule17.exe"
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.plus2 (HKLM)
O15 - ESC Trusted Zone: *.plus2 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CE7884D-80C3-47AA-B268-D1CC09462736}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{76674D0C-EB84-4025-AE6C-D3FF85E2F124}: Domain = nypd.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{1CE7884D-80C3-47AA-B268-D1CC09462736}: NameServer = 205.188.146.145
O20 - Winlogon Notify: byXQGyab - byXQGyab.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12312 bytes
--------------------------------------------------------------------------------
Get trade secrets for amazing burgers. Watch "Cooking with Tyler Florence" on AOL Food.
Hi
It seems Windows internal firewall is switched off. Please try to enable it if you don't have any other firewall installed.
Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
Close browsers and other windows. Click fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\jqwnw64j.exe
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll-uninst.exe
C:\WINDOWS\system32\g29.exe
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\rcntrkdm.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
C:\WINDOWS\b155.exe_old
C:\WINDOWS\b148.exe_old
C:\WINDOWS\system32\rwwnw64d.exe
DirLook::
C:\WINDOWS\rffi
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25340342-330E-4395-A8B4-5CE97F6BC0D8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56AAAD03-1EF9-4B07-8196-12F1C125F7AD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7605204a-1bf2-6b53-2777-53f8a87e9669}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF71DBA4-D312-448B-85AD-B0D5F85D16BD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fdd7b81d-1edc-978a-e1d9-513b08695f89}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uahe"=-
"Dkdtq"=-
"QdrPack16"=-
"QdrModule17"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{74-4C-CB-B9-DW}"=-
"{c3f670a7-1bb7-5093-12d3-d28162845729}"=-
"ExploreUpdSched"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQGyab]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).
BronxBoy
2008-06-03, 21:36
Hi-
Before I try to do this, I have a couple of questions:
1. You wrote: "It seems Windows internal firewall is switched off. Please try to enable it if you don't have any other firewall installed."
How do I enable the firewall?
2. You wrote:
"Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe"
What kind of check should I do? Am I checking to see if those lines are in the log?
Thanks, George
1) Enable Windows Firewall in Windows XP SP2
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click On (recommended), and then click OK.
2) You have to place a checkmark on those entries I listed in HijackThis program and then after closing browser windows, click 'fix checked' -button in HijackThis :)
BronxBoy
2008-06-04, 23:24
Hi-
I enabled the firewall. I then did the hjt system scan, and clicked and fixed the items you listed. I then opened Notepad and pasted the items you told me into it.
However, I don't know how to save it as CF Script, or how to drag and drop it into ComboFix. ComboFix just seems to run when I click on it, but I don't see a way to drag anything into it.
If you could just walk me through saving it as CF Script and dragging it into ComboFix, I'd appreciate it. Sorry for the trouble, I'm a beginner at this.
Thanks, George
Hi George
Please find needed CFScript.txt attached to this post. Download it to your desktop and drag the file by holding left mouse button down the CFScript.txt file over ComboFix.exe and release the button. Just like in the screenshot of my previous post :)
Attention this CFScript.txt file suits only for BronxBoy's case. Using it to some other case may ruin the system!
BronxBoy
2008-06-04, 23:52
Thanks, I'll try it. For some reason I can't see the screenshot / picture in your previous post, but I'll try to follow your instructions.
BronxBoy
2008-06-05, 00:25
Hi-I did ComboFix with the CF script you sent me--here's the log. I will try to do the other logs and post them shortly. Thanks, George
ComboFix 08-06-03.4 - NYP 2008-06-04 17:07:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
Running from: C:\Documents and Settings\NYP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NYP\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\b148.exe_old
C:\WINDOWS\b155.exe_old
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll-uninst.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g29.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jqwnw64j.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\rcntrkdm.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\b148.exe_old
C:\WINDOWS\b155.exe_old
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll-uninst.exe
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
C:\WINDOWS\system32\g29.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jqwnw64j.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\rcntrkdm.exe
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\winpfz33.sys
.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.
2008-06-01 00:02 . 2008-06-01 00:02 95,833 --a------ C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll-uninst.exe
2008-05-30 01:46 . 2008-05-30 01:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 22:25 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 22:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 22:25 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-27 22:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 22:25 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 22:25 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 19:53 . 2008-05-27 21:32 6,044 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-25 17:14 . 2008-06-04 15:46 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-05-24 09:14 . 2008-06-04 16:37 51,868 --a------ C:\VETlog.dmp
2008-05-19 09:55 . 2008-05-19 09:55 439,808 --a------ C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
2008-05-11 00:11 . 2008-05-11 00:11 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 19:21 --------- d-----w C:\Program Files\Common Files\rffi
2008-05-02 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 14:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 14:08 --------- d-----w C:\Program Files\Lavasoft
2008-05-02 14:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\rffi ----
2008-05-02 10:22 2318 --a------ C:\WINDOWS\rffi\rffi.dat
2002-07-26 17:02 153088 --a------ C:\WINDOWS\rffi\wu
((((((((((((((((((((((((((((( snapshot@2008-05-31_23.18.13.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 03:11:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 20:46:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 04:02:17 95,833 ----a-w C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll-uninst.exe
+ 2008-05-19 13:55:20 439,808 ----a-w C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBM RecordNow!"="" []
"tgcmd"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 14:57 2506752]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-12 19:41 98304]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 00:50 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 00:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 13:48 147514]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 05:01 110592]
"UC_Start"="C:\IBMTools\Updater\ucstartup.exe" [2003-03-17 19:27 32768]
"TpShocks"="TpShocks.exe" [2003-09-04 03:02 77824 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-02 17:56 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-08-07 19:57 94208]
"TP4EX"="tp4ex.exe" [2002-09-04 05:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"tgcmd"="" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-28 15:11 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-28 15:10 512000]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 03:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-10-11 06:07 53248]
"NAV CfgWiz"="C:\PROGRA~1\NORTON~1\Cfgwiz.exe" [ ]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-07-18 06:02 208896]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 05:04 114741]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 05:34 20480]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-07-11 05:34 94208]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 03:56 380416 C:\WINDOWS\system32\irprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 01:10 335872]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 20:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 12:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-05 09:11 26112]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 18:53 169264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-03-05 11:14:48 36954]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2005-03-05 11:16:49 229450]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-09-11 14:03]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-10-11 06:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-07-11 05:34]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 16:24]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-07-24 17:26]
S3 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2003-10-11 06:07]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23460d10-da2a-11dc-b4f9-00038a000015}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c38c4e0-eea7-11db-b44f-00038a000015}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
"2004-05-21 07:04:32 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 17:10:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-06-04 17:14:11
ComboFix-quarantined-files.txt 2008-06-04 21:13:56
ComboFix2.txt 2008-06-04 20:15:08
ComboFix3.txt 2008-06-01 03:18:46
Pre-Run: 16,851,755,008 bytes free
Post-Run: 16,834,056,192 bytes free
174 --- E O F --- 2008-05-16 00:57:31
BronxBoy
2008-06-05, 04:31
Hi-Here's my Kaspersky log. George
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 04, 2008 21:25:41
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/06/2008
Kaspersky Anti-Virus database records: 829611
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 65497
Number of viruses found: 44
Number of infected objects: 110
Number of suspicious objects: 0
Duration of the scan process: 02:00:46
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080604_Time-164858638_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080604_Time-164858638_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_LAPTOP-MD5410.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_LAPTOP-MD5410.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip/NewSecurityClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip/NewURLClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip ZIP: infected - 4 skipped
C:\Documents and Settings\NYP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\NYP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\History\History.IE5\MSHist012008060420080605\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NYP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NYP\ntuser.dat.LOG Object is locked skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE ZIP: infected - 3 skipped
C:\Program Files\Patchlink\Update Agent\Patchlink Update Agent.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\WNSXS~1\іexplore.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.id skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM3~1\dvdplay.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule16.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule17.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.z skipped
C:\QooBox\Quarantine\C\WINDOWS\b155.exe_old.vir Infected: Trojan.Win32.BHO.blh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip/rawwann.sys Infected: Trojan.Win32.Pakes.cwd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jqwnw64j.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rcntrkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tcntaxdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\x4\demw136.exe.vir Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xzej.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP397\A0109262.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109266.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109312.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109329.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109338.exe Infected: Trojan.Win32.BHO.bkm skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109344.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP399\A0109401.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110392.exe Infected: not-a-virus:AdWare.Win32.Rond.e skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110393.exe Infected: Trojan.Win32.Agent.lke skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110394.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110395.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110396.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110398.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110399.exe Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110401.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110402.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110403.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110405.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110407.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110408.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110411.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110412.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110421.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110423.exe Infected: Trojan.Win32.BHO.blh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110424.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110429.exe Infected: Trojan-Downloader.Win32.Agent.ndt skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110430.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110466.exe Infected: Trojan-Downloader.Win32.Agent.qqn skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111658.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111676.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111718.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111799.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111800.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115215.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115216.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115217.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115219.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115454.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115455.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115803.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115805.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115811.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115814.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118006.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118953.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119069.exe Infected: not-a-virus:AdWare.Win32.PurityScan.id skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119070.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119076.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119079.exe Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119080.exe Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119081.exe Infected: not-a-virus:AdWare.Win32.AdBand.z skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119086.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119087.dll Infected: not-a-virus:AdWare.Win32.PurityScan.if skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119094.exe Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119381.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119384.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119385.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A6FBED68-5847-492B-AA35-35249DE4C3B9}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0400BCEB-CF7C-4AA8-AF2F-9179705E720C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\pnVes18\pnVes182328.exe Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
BronxBoy
2008-06-05, 04:34
Hi-Here's a fresh hjt log. Thanks for looking at all this. George
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:06, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.plus2 (HKLM)
O15 - ESC Trusted Zone: *.plus2 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76674D0C-EB84-4025-AE6C-D3FF85E2F124}: Domain = nypd.org
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9945 bytes
Hi George
Clear Java's cache (http://www.java.com/en/download/help/5000020300.xml). Then run ComboFix again with the new script provided as an attachment.
After that re-run Kaspersky scanner and post back its report, a fresh hjt log and ComboFix log.
Attention this CFScript.txt file suits only for BronxBoy's case. Using it to some other case may ruin the system!
BronxBoy
2008-06-07, 03:59
Hi-Here's my new ComboFix log.
ComboFix 08-06-03.4 - NYP 2008-06-06 20:47:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.196 [GMT -4:00]
Running from: C:\Documents and Settings\NYP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NYP\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll-uninst.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll-uninst.exe
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
C:\WINDOWS\system32\pnVes18
C:\WINDOWS\system32\pnVes18\pnVes182328.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.
2008-05-30 01:46 . 2008-05-30 01:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 22:25 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 22:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 22:25 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-27 22:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 22:25 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 22:25 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 19:53 . 2008-05-27 21:32 6,044 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-25 17:14 . 2008-06-06 20:24 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-05-24 09:14 . 2008-06-04 16:37 51,868 --a------ C:\VETlog.dmp
2008-05-11 00:11 . 2008-05-11 00:11 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 19:21 --------- d-----w C:\Program Files\Common Files\rffi
2008-05-02 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 14:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 14:08 --------- d-----w C:\Program Files\Lavasoft
2008-05-02 14:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-31_23.18.13.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 03:11:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 00:41:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBM RecordNow!"="" []
"tgcmd"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 14:57 2506752]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-12 19:41 98304]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 00:50 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 00:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 13:48 147514]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 05:01 110592]
"UC_Start"="C:\IBMTools\Updater\ucstartup.exe" [2003-03-17 19:27 32768]
"TpShocks"="TpShocks.exe" [2003-09-04 03:02 77824 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-02 17:56 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-08-07 19:57 94208]
"TP4EX"="tp4ex.exe" [2002-09-04 05:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"tgcmd"="" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-28 15:11 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-28 15:10 512000]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 03:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-10-11 06:07 53248]
"NAV CfgWiz"="C:\PROGRA~1\NORTON~1\Cfgwiz.exe" [ ]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-07-18 06:02 208896]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 05:04 114741]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 05:34 20480]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-07-11 05:34 94208]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 03:56 380416 C:\WINDOWS\system32\irprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 01:10 335872]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 20:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 12:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-05 09:11 26112]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 18:53 169264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-03-05 11:14:48 36954]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2005-03-05 11:16:49 229450]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-09-11 14:03]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-10-11 06:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-07-11 05:34]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 16:24]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-07-24 17:26]
S3 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2003-10-11 06:07]
.
Contents of the 'Scheduled Tasks' folder
"2004-05-21 07:04:32 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 20:51:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-06-06 20:54:04
ComboFix-quarantined-files.txt 2008-06-07 00:53:45
ComboFix2.txt 2008-06-04 21:14:13
ComboFix3.txt 2008-06-04 20:15:08
ComboFix4.txt 2008-06-01 03:18:46
Pre-Run: 16,815,140,864 bytes free
Post-Run: 16,797,974,528 bytes free
135 --- E O F --- 2008-05-16 00:57:31
BronxBoy
2008-06-07, 04:03
Here's my new hjt log. I don't have time to do the Kaspersky tonight but will do it in the next day or two and post it. Thanks for all your help. George
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:21, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.plus2 (HKLM)
O15 - ESC Trusted Zone: *.plus2 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76674D0C-EB84-4025-AE6C-D3FF85E2F124}: Domain = nypd.org
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9896 bytes
Hi
Let's get back to this after you've got Kaspersky report ready :)
BronxBoy
2008-06-08, 09:01
Hi-Here's a fresh Kaspersky log. Thanks, George
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 01:53:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/06/2008
Kaspersky Anti-Virus database records: 836968
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 65646
Number of viruses found: 42
Number of infected objects: 107
Number of suspicious objects: 0
Duration of the scan process: 02:12:48
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080607_Time-093321021_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080607_Time-093321021_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_LAPTOP-MD5410.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_LAPTOP-MD5410.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnDemandScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NYP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\NYP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NYP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NYP\ntuser.dat.LOG Object is locked skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE ZIP: infected - 3 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\WNSXS~1\іexplore.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.id skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM3~1\dvdplay.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule16.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule17.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.z skipped
C:\QooBox\Quarantine\C\WINDOWS\b155.exe_old.vir Infected: Trojan.Win32.BHO.blh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip/rawwann.sys Infected: Trojan.Win32.Pakes.cwd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jqwnw64j.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pnVes18\pnVes182328.exe.vir Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rcntrkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tcntaxdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\x4\demw136.exe.vir Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xzej.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll.vir Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP397\A0109262.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109266.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109312.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109329.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109338.exe Infected: Trojan.Win32.BHO.bkm skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109344.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP399\A0109401.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110392.exe Infected: not-a-virus:AdWare.Win32.Rond.e skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110393.exe Infected: Trojan.Win32.Agent.lke skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110394.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110395.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110396.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110398.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110399.exe Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110401.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110402.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110403.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110405.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110407.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110408.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110411.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110412.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110421.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110423.exe Infected: Trojan.Win32.BHO.blh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110424.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110429.exe Infected: Trojan-Downloader.Win32.Agent.ndt skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110430.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110466.exe Infected: Trojan-Downloader.Win32.Agent.qqn skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111658.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111676.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111718.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111799.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111800.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115215.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115216.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115217.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115219.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115454.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115455.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115803.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115805.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115811.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115814.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118006.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118953.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119069.exe Infected: not-a-virus:AdWare.Win32.PurityScan.id skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119070.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119076.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119079.exe Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119080.exe Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119081.exe Infected: not-a-virus:AdWare.Win32.AdBand.z skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119086.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119087.dll Infected: not-a-virus:AdWare.Win32.PurityScan.if skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119094.exe Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119381.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119384.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119385.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\A0119519.exe Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\A0119520.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2158A4FB-F612-4C8E-9BF0-AEB9A63EC7DA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
Kaspersky findings will get deleted when you reset system restore and remove the used tools. Instructions for both below.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one if your McAfee doesn't contain a firewall.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
BronxBoy
2008-06-10, 02:58
Hi-
Yes, the pop-ups that were attacking my computer have totally stopped! Thanks, I can't tell you how much I appreciate it! I will follow the instructions in your last post, but first I have a question.
I have an external hard drive where I keep most of the data that I use on this computer (I don't keep much on the computer's hard drive). I also have a flash drive that has a lot of data on it. Is there any way I can make sure that none of the bad stuff got into the external hard drive and flash drive? I didn't have them connected when I was following the repair steps you gave me. I want to make sure that the problems don't come back when I connect one or both of those drives to the computer.
Thanks,
George
Hi
Scan those drives with Kaspersky online scanner. I think you can plug them in the system now :)
BronxBoy
2008-06-15, 03:03
Hi-
I attempted to run the Kaspersky scanner as you said in your last post (with my flash drive and external hard drive plugged in), but I got the following message: "You need to install Java version 1.5 or later to run Kaspersky Online Scanner."
I'm not sure why that is...as you know, I ran Kaspersky several times while you were helping me with my original problem. I tried to download Java 1.5 through the link on Kaspersky, but it said "We have encountered an issue while trying to download Java."
Where do I go from here?
Thanks,
George
Hi
Yes, Kaspersky released new version of its online scanner just some days ago. New version requires Java. Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp). I had included it in my instructions a couple of post back in this same topic :)
BronxBoy
2008-06-18, 06:11
Hi-
Here's a new Kaspersky log. The scan was done while my external hard drive and my flash drive were plugged into the computer. Does it look as if I have any more problems to deal with? Thanks, George
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 17, 2008 21:40:37
Records in database: 877129
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 95600
Threat name: 43
Infected objects: 94
Suspicious objects: 0
Duration of the scan: 03:05:06
File name / Threat name / Threats count
lsass.exe\lsass.exe/lsass.exe\lsass.exe Infected: Backdoor.Win32.VB.dav 1
C:\Documents and Settings\NYPD\lsass.exe/C:\Documents and Settings\NYPD\lsass.exe Infected: Backdoor.Win32.VB.dav 1
C:\Documents and Settings\NYPD\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\NYPD\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\NYPD\lsass.exe Infected: Backdoor.Win32.VB.dav 1
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 2
C:\QooBox\Quarantine\C\Program Files\Common Files\WNSXS~1\іexplore.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.id 1
C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM3~1\dvdplay.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hh 1
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule16.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.ac 1
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule17.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.z 1
C:\QooBox\Quarantine\C\WINDOWS\b155.exe_old.vir Infected: Trojan.Win32.BHO.blh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip Infected: Trojan.Win32.Pakes.cwd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jqwnw64j.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pnVes18\pnVes182328.exe.vir Infected: Trojan-Downloader.Win32.VB.ebf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rcntrkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tcntaxdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\QooBox\Quarantine\C\WINDOWS\system32\x4\demw136.exe.vir Infected: Trojan-Downloader.Win32.Small.uuw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xzej.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if 1
C:\QooBox\Quarantine\C\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll.vir Infected: Trojan.Win32.BHO.cmd 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP397\A0109262.exe Infected: Trojan-Downloader.Win32.Homles.bj 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109266.exe Infected: Trojan-Downloader.Win32.Homles.bk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109312.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109329.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109338.exe Infected: Trojan.Win32.BHO.bkm 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109344.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP399\A0109401.exe Infected: Trojan-Downloader.Win32.Homles.bj 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110392.exe Infected: not-a-virus:AdWare.Win32.Rond.e 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110393.exe Infected: Trojan.Win32.Agent.lke 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110394.exe Infected: not-a-virus:AdWare.Win32.Insider.c 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110395.exe Infected: not-a-virus:AdWare.Win32.Insider.c 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110396.exe Infected: not-a-virus:AdWare.Win32.Insider.f 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110398.exe Infected: Trojan-Downloader.Win32.Agent.ezc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110399.exe Infected: Trojan-Downloader.Win32.Agent.jih 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110401.exe Infected: Trojan-Downloader.Win32.TSUpdate.n 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110402.exe Infected: Trojan-Downloader.Win32.TSUpdate.p 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110403.exe Infected: Trojan-Downloader.Win32.TSUpdate.f 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110405.exe Infected: not-a-virus:AdWare.Win32.Rond.d 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110407.exe Infected: Trojan.Win32.Scapur.k 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110408.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110411.exe Infected: Trojan-Downloader.Win32.Small.buy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110412.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110421.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110423.exe Infected: Trojan.Win32.BHO.blh 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110424.exe Infected: Trojan-Downloader.Win32.Homles.bk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110429.exe Infected: Trojan-Downloader.Win32.Agent.ndt 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110430.exe Infected: Trojan-Downloader.Win32.TSUpdate.l 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110466.exe Infected: Trojan-Downloader.Win32.Agent.qqn 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111658.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111676.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111718.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111799.exe Infected: Trojan-Downloader.Win32.PurityScan.fj 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111800.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115215.dll Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115216.exe Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115217.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115219.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115454.exe Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115455.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115803.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115805.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115811.dll Infected: Trojan.Win32.BHO.cmd 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115814.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118006.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hh 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118953.dll Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119069.exe Infected: not-a-virus:AdWare.Win32.PurityScan.id 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119070.exe Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hh 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119076.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119079.exe Infected: not-a-virus:AdWare.Win32.AdBand.ac 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119080.exe Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119081.exe Infected: not-a-virus:AdWare.Win32.AdBand.z 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119086.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119087.dll Infected: not-a-virus:AdWare.Win32.PurityScan.if 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119094.exe Infected: Trojan-Downloader.Win32.Small.uuw 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119381.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119384.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119385.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\A0119519.exe Infected: Trojan-Downloader.Win32.VB.ebf 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\A0119520.dll Infected: Trojan.Win32.BHO.cmd 1
E:\Start.exe Infected: Backdoor.Win32.VB.dav 1
F:\Start.exe Infected: Backdoor.Win32.VB.dav 1
The selected area was scanned.
Hi
Delete following files:
C:\Documents and Settings\NYPD\Desktop\SmitfraudFix.exe
C:\Documents and Settings\NYPD\lsass.exe
E:\Start.exe
F:\Start.exe
and folder:
C:\Documents and Settings\NYPD\Desktop\SmitfraudFix
Those in QooBox & system restore will be removed when you uninstall ComboFix (instructions in earlier post).
After this run Kaspersky online scanner again.
BronxBoy
2008-06-20, 00:39
Hi-
I think I was able to remove the proper items from the C drive. But I was not able to find the Start.exe items on the external drives. I used the Search function, but couldn't find them...I don't want to remove the wrong items. What should I do now? Thanks, George
Hi
Let's see if those files are there or not.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
E:\Start.exe
F:\Start.exe
Return to OTMoveIt2, right click in the
Paste Standard List of Files/Folders to Move
window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Also, re-run Kaspersky online scanner and post its report.
BronxBoy
2008-06-20, 21:20
Hi-
Here's what was in the Results window of OTMoveIt2. I will now rerun Kaspersky and post the report shortly.
George
E:\Start.exe moved successfully.
F:\Start.exe moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06202008_141719
Ok. Shall wait for that report :)
BronxBoy
2008-06-21, 00:37
Hi-
Here's a new Kaspersky report. Thanks for your patience in looking at all this stuff. George
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 20, 2008 18:25:58
Records in database: 879810
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 96408
Threat name: 43
Infected objects: 91
Suspicious objects: 0
Duration of the scan: 02:50:15
File name / Threat name / Threats count
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 2
C:\QooBox\Quarantine\C\Program Files\Common Files\WNSXS~1\іexplore.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.id 1
C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM3~1\dvdplay.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hh 1
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule16.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.ac 1
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule17.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.z 1
C:\QooBox\Quarantine\C\WINDOWS\b155.exe_old.vir Infected: Trojan.Win32.BHO.blh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip Infected: Trojan.Win32.Pakes.cwd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jqwnw64j.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pnVes18\pnVes182328.exe.vir Infected: Trojan-Downloader.Win32.VB.ebf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rcntrkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tcntaxdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\QooBox\Quarantine\C\WINDOWS\system32\x4\demw136.exe.vir Infected: Trojan-Downloader.Win32.Small.uuw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xzej.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if 1
C:\QooBox\Quarantine\C\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll.vir Infected: Trojan.Win32.BHO.cmd 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP397\A0109262.exe Infected: Trojan-Downloader.Win32.Homles.bj 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109266.exe Infected: Trojan-Downloader.Win32.Homles.bk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109312.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109329.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109338.exe Infected: Trojan.Win32.BHO.bkm 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109344.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP399\A0109401.exe Infected: Trojan-Downloader.Win32.Homles.bj 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110392.exe Infected: not-a-virus:AdWare.Win32.Rond.e 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110393.exe Infected: Trojan.Win32.Agent.lke 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110394.exe Infected: not-a-virus:AdWare.Win32.Insider.c 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110395.exe Infected: not-a-virus:AdWare.Win32.Insider.c 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110396.exe Infected: not-a-virus:AdWare.Win32.Insider.f 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110398.exe Infected: Trojan-Downloader.Win32.Agent.ezc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110399.exe Infected: Trojan-Downloader.Win32.Agent.jih 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110401.exe Infected: Trojan-Downloader.Win32.TSUpdate.n 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110402.exe Infected: Trojan-Downloader.Win32.TSUpdate.p 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110403.exe Infected: Trojan-Downloader.Win32.TSUpdate.f 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110405.exe Infected: not-a-virus:AdWare.Win32.Rond.d 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110407.exe Infected: Trojan.Win32.Scapur.k 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110408.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110411.exe Infected: Trojan-Downloader.Win32.Small.buy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110412.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110421.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110423.exe Infected: Trojan.Win32.BHO.blh 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110424.exe Infected: Trojan-Downloader.Win32.Homles.bk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110429.exe Infected: Trojan-Downloader.Win32.Agent.ndt 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110430.exe Infected: Trojan-Downloader.Win32.TSUpdate.l 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110466.exe Infected: Trojan-Downloader.Win32.Agent.qqn 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111658.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111676.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111718.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111799.exe Infected: Trojan-Downloader.Win32.PurityScan.fj 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111800.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115215.dll Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115216.exe Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115217.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115219.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115454.exe Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115455.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115803.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115805.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115811.dll Infected: Trojan.Win32.BHO.cmd 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115814.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118006.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hh 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118953.dll Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119069.exe Infected: not-a-virus:AdWare.Win32.PurityScan.id 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119070.exe Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hh 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119076.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119079.exe Infected: not-a-virus:AdWare.Win32.AdBand.ac 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119080.exe Infected: not-a-virus:AdWare.Win32.AdBand.af 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119081.exe Infected: not-a-virus:AdWare.Win32.AdBand.z 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119086.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119087.dll Infected: not-a-virus:AdWare.Win32.PurityScan.if 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119094.exe Infected: Trojan-Downloader.Win32.Small.uuw 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119381.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119384.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119385.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\A0119519.exe Infected: Trojan-Downloader.Win32.VB.ebf 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\A0119520.dll Infected: Trojan.Win32.BHO.cmd 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP411\A0121840.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP411\A0121875.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP411\A0121886.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\_OTMoveIt\MovedFiles\06202008_141719\Start.exe Infected: Backdoor.Win32.VB.dav 1
The selected area was scanned.
Hi
This can be ignored:
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 2
Other findings get deleted when you do a system restore, uninstall ComboFix and run CleanUp! function of OtMoveit2. Instructions for this are in post #21 (http://forums.spybot.info/showpost.php?p=200214&postcount=21)
BronxBoy
2008-06-23, 07:55
Hi-
I still seem to be having a problem...I don't know if it's a different problem, or part of the same problems.
I followed your instructions in post 21...reset system restore, uninstalled Combofix, etc. I then attempted to do another Kaspersky scan, so I could post it for you to look at and make sure all was now well.
But now I have not been able to get through the Kaspersky scan. It gets part way through, and then all of a sudden I get a blue screen that says "Windows has encountered a problem and needs to close." The computer then reboots. I tried four times to run the Kaspersky, and was not able to get farther than 33% of the way through before the computer would reboot.
Is this related to the problem I was having, or is this a brand new problems? :) Thanks for your patience in helping me with all this mess.
George
Hi
That may be hardware problem. Try defraggind hard drive and then try again. If it shows bsod (blue screen of death ) again then please note down complete error message.
BronxBoy
2008-06-24, 22:59
Hi-
I tried again twice. The first time, the computer froze up about four hours (30%) into the process...it was frozen to the extent that I had to take the battery out to get it to reboot. The second time, just putting the Kaspersky scanner up on the screen froze up the computer, before I could even start the scan (that time I was able to reboot using Control Alt Delete).
Where do I go from here? Sorry for the long chain of problems. You're putting a lot of time into talking me through this process, and I appreciate it.
George
Hi
Did you do defragmentation before trying to scan?
If you did then maybe you could try this then :)
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
BronxBoy
2008-06-26, 02:06
Hi-I did defragmentation before my last time trying Kaspersky, and it didn't help. Here's the Malwarebytes log--thanks:
Malwarebytes' Anti-Malware 1.18
Database version: 892
6:58:49 PM 6/25/2008
mbam-log-6-25-2008 (18-58-49).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 130558
Time elapsed: 1 hour(s), 19 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\stflex.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\stflex.band.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mySearchAssistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spcron (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\wTMP (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP1\A0000047.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP412\A0121951.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
Looks ok. :) Any troubles left?
BronxBoy
2008-06-26, 22:39
Hi-
I'm off to Hawaii for two weeks, and don't have time before leaving to try to run the Kaspersky and see what happens. Can I do it when I return and let you know? Will this thread remain active?
George
Hi
Thanks for the heads up. I'll try to remember keep the thread open. Have a nice time in Hawaii :cool:
BronxBoy
2008-07-12, 05:59
Hi-
I had to interrupt the problem-solving process that you are so graciously helping me with, in order to go to Hawaii for my friend's wedding. I'm back now (GREAT trip!!!) and I hope you'll help me clean up the loose ends:)
At this point, should I run a Kaspersky or other scan to see where we're at?
Thanks,
George
Welcome back :)
Yes, you may run Kaspersky online scanner and post back its report.
BronxBoy
2008-07-13, 07:39
Hi-
Here's the new Kaspersky report. Thanks, George
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, July 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 12, 2008 22:06:49
Records in database: 946264
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 94407
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 06:55:01
File name / Threat name / Threats count
C:\Documents and Settings\NYP\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.71585 Infected: Backdoor.Win32.VB.dav 1
C:\Documents and Settings\NYP\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.76578 Infected: Backdoor.Win32.VB.dav 1
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 2
The selected area was scanned.
That looks actually good :) You can remove those two first on the list by clearing quarantine items from Malwarebytes' Anti-Malware program. The third finding is false positive. No need to worry about it.
BronxBoy
2008-07-18, 02:33
Hi-
It sounds like we're making a lot of progress, thanks to you. How exactly do I clear the quarantine items, as you mentioned in your last post?
Thanks,
George
How exactly do I clear the quarantine items, as you mentioned in your last post?
Hi
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Go to C:\Documents and Settings\NYP\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine folder and delete items in it. :)
Then hide hidden files again:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.
BronxBoy
2008-07-24, 01:30
Hi-
I followed your instructions above. But in step 5, did you mean check "DO NOT show hidden files and folders"?
Should I run any more scans now, or are we finished?
Also, can you recommend anything more I can do to make the computer run more smoothly? Thanks to you, we definitely got rid of my original horrible problem, which was the malware and the continuing pop-ups. It's 100 times better than it was. But the machine still runs very sluggishly, and every so often I get the "blue screen of death" and it reboots for no apparent reason. Is there any solution for that?
Thanks for everything you've done so far!!!!
George
I followed your instructions above. But in step 5, did you mean check "DO NOT show hidden files and folders"?
Hiding part is actually meantioned in step 6 :)
Should I run any more scans now, or are we finished?
I think we are finished here.
You may try hints given here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html) to possibly make system faster.
BronxBoy
2008-07-25, 00:56
Thanks again for all your help. I appreciate all the time you've put into this project. I will try the hints at the link you sent me.
All the best,
George
You're welcome :)
Hopefully you find the hints behind the link helpful.