I think my computer is infected. Please help.

J

jamesdang

New member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57, on 2008-05-10
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Spcron\Spcron.dll (file missing)
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe /h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137299390562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137299378734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8494 bytes
 
Kaspersky Online Scanner Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-10 17:36
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/05/2008
Kaspersky Anti-Virus database records: 754681
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 130654
Number of viruses found: 26
Number of infected objects: 39
Number of suspicious objects: 0
Duration of the scan process: 01:55:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03C40000.VBN Infected: Worm.Win32.RJump.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03C40002.VBN Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03C40003.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03C40004.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03C40006.VBN Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03DC0000.VBN Infected: Trojan-Downloader.Win32.Homles.bm skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05080000.VBN Infected: Worm.Win32.RJump.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08680000.VBN Infected: Trojan-Downloader.JS.Agent.ama skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08680001.VBN Infected: Trojan-Downloader.JS.Agent.ama skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240000.VBN Infected: not-a-virus:AdWare.Win32.Rond.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240001.VBN Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240002.VBN Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240003.VBN Infected: Trojan-Downloader.Win32.Agent.ofz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B240005.VBN Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C180000.VBN Infected: Trojan-Downloader.JS.Psyme.wi skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\Documents and Settings\Owner\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\winvsnet.exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareMaster skipped
C:\Documents and Settings\Owner\Local Settings\Temp\yazzsnet.exe/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and Settings\Owner\Local Settings\Temp\yazzsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\JavaCore\JavaCore.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\YazzleBundle-1549.exe.vir/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\YazzleBundle-1549.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\WinAntiSpyware 2007\InstUp.exe.vir/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\QooBox\Quarantine\C\Program Files\WinAntiSpyware 2007\InstUp.exe.vir Inno: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\WinAntiSpyware 2007\was7.exe.vir Infected: Trojan-Downloader.Win32.Agent.dhj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebxwxu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{1621D2DD-8C01-45DF-84EC-7553CD8DA3ED}\RP306\A0090858.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{1621D2DD-8C01-45DF-84EC-7553CD8DA3ED}\RP306\A0090863.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{1621D2DD-8C01-45DF-84EC-7553CD8DA3ED}\RP306\A0090863.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{1621D2DD-8C01-45DF-84EC-7553CD8DA3ED}\RP306\A0090864.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{1621D2DD-8C01-45DF-84EC-7553CD8DA3ED}\RP307\A0092064.exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareMaster skipped
C:\System Volume Information\_restore{1621D2DD-8C01-45DF-84EC-7553CD8DA3ED}\RP310\change.log Object is locked skipped
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
C:\WINDOWS\b152.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\WINDOWS\b156.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_3a8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Hi,

Welcome to Safer Networking. :cowboy:

Why isn't your Windows up-to-date? Please do not update now as the infections you have may cause instabilities when you update.

Step 1

Please delete the current copy of Combofix and download a new one from one of the links below:

Bleeping Computer
Forospyware
Geeks to Go

Then visit this webpage for the instructions for running Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:

RC_whatnext.gif


Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 2

  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
  3. The Uninstall list
 
ComboFix

ComboFix 08-05-12.1 - Owner 2008-05-13 20:04:46.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\My Documents\DOBE~1
C:\Documents and Settings\Owner\My Documents\DOBE~1\?dobe\
C:\Documents and Settings\Owner\My Documents\DOBE~1\mmc.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\WINDOWS\system32\abJlUvut.ini
C:\WINDOWS\system32\abJlUvut.ini2
.
---- Previous Run -------
.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Program Files\Common Files\fnts~1
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\JavaCore
C:\Program Files\outerinfo
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\Temporary
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 20:18 . 2008-05-13 20:18 22 --a------ C:\WINDOWS\pskt.ini
2008-05-13 17:56 . 2008-05-13 17:56 99,008 --a------ C:\WINDOWS\system32\mchdqwjo.dll
2008-05-13 17:56 . 2008-05-13 17:56 2,112 --a------ C:\WINDOWS\system32\gugadmof.exe
2008-05-13 17:50 . 2008-05-13 17:50 314,480 --a------ C:\WINDOWS\system32\tuvUlJba.dll
2008-05-12 21:43 . 2008-05-12 21:43 314,480 --a------ C:\WINDOWS\system32\urqPjKBt.dll
2008-05-12 20:50 . 2008-05-12 20:50 98,896 --a------ C:\WINDOWS\system32\itxiirva.dll
2008-05-12 20:50 . 2008-05-12 20:50 90,176 --a------ C:\WINDOWS\system32\ybkhjbps.dll
2008-05-12 20:50 . 2008-05-12 20:50 2,048 --a------ C:\WINDOWS\system32\yydcmhxu.exe
2008-05-12 20:48 . 2008-05-12 20:48 98,896 --a------ C:\WINDOWS\system32\mruinlfx.dll
2008-05-12 20:45 . 2008-05-12 20:45 2,048 --a------ C:\WINDOWS\system32\yxgacvey.exe
2008-05-12 20:40 . 2008-05-12 20:40 90,176 --a------ C:\WINDOWS\system32\lnllsryr.dll
2008-05-12 20:35 . 2008-05-12 20:35 0 --a------ C:\WINDOWS\system32\eutuioip.tmp
2008-05-12 20:32 . 2008-05-12 20:32 2,048 --a------ C:\WINDOWS\system32\rsvmfbiy.exe
2008-05-12 20:29 . 2008-05-12 20:29 98,896 --a------ C:\WINDOWS\system32\aebxephs.dll
2008-05-12 20:29 . 2008-05-12 20:29 90,176 --a------ C:\WINDOWS\system32\jrxukkdg.dll
2008-05-12 18:30 . 2008-05-12 18:30 <DIR> d-------- C:\Program Files\RcvSystem
2008-05-12 01:15 . 2008-05-12 01:15 98,896 --a------ C:\WINDOWS\system32\tmnqavaq.dll
2008-05-12 01:12 . 2008-05-12 01:12 2,048 --a------ C:\WINDOWS\system32\eafxxwuk.exe
2008-05-12 01:10 . 2008-05-12 01:10 90,176 --a------ C:\WINDOWS\system32\hvmaeugy.dll
2008-05-11 17:11 . 2008-05-13 19:36 1,916 --a------ C:\WINDOWS\system32\default.htm
2008-05-11 15:12 . 2008-05-11 15:12 2,048 --a------ C:\WINDOWS\system32\cuqbyobq.exe
2008-05-11 15:11 . 2008-05-13 20:18 109,803 --a------ C:\WINDOWS\BMab81e7d9.xml
2008-05-11 15:11 . 2008-05-11 15:11 90,208 --a------ C:\WINDOWS\system32\emfmwgtq.dll
2008-05-11 15:11 . 2008-05-11 15:11 83,024 --a------ C:\WINDOWS\system32\imgytdkl.dll
2008-05-11 15:07 . 2008-05-11 15:07 41,724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-11 15:04 . 2008-05-11 15:04 25,728 --a------ C:\WINDOWS\system32\khfDVLDV.dll
2008-05-11 15:03 . 2008-05-11 15:03 578 --a------ C:\WINDOWS\index.html
2008-05-11 15:02 . 2008-05-11 15:02 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 15:02 . 2008-05-11 15:02 <DIR> d-------- C:\Temp\tmpvc14
2008-05-11 15:02 . 2008-05-11 15:02 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-09 11:10 . 2008-05-09 11:10 187,904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-05-05 19:08 . 2008-05-10 09:23 <DIR> d-------- C:\Program Files\Spcron
2008-05-05 19:03 . 2008-05-05 19:03 <DIR> d-------- C:\Program Files\Svconr
2008-05-05 18:32 . 2008-05-05 18:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 18:32 . 2008-05-05 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 21:17 . 2008-05-04 21:17 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-04 19:22 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-04 19:22 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-04 19:22 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-04 18:53 . 2008-05-04 18:58 <DIR> d-------- C:\WINDOWS\system32\bkEur01
2008-04-24 14:44 . 2008-04-24 11:44 73,728 --a------ C:\WINDOWS\b156.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 03:15 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-14 03:03 --------- d-----w C:\Program Files\TomTom HOME
2008-05-10 17:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-03 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-24 03:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-04-13 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-13 18:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intuit
2008-03-04 19:32 105,984 ----a-w C:\WINDOWS\b152.exe
2007-05-24 02:04 7,248 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2007-05-19 00:32 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-05-19 00:32 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8334A30C-49E5-489a-B63D-5B927C1EF46E}]
C:\Program Files\QdrDrive\QdrDrive15.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9ac70b7-f4f8-41ce-b467-5513b7facb75}]
2008-05-13 17:56 99008 --a------ C:\WINDOWS\System32\mchdqwjo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-11 15:04 25728 --a------ C:\WINDOWS\system32\khfDVLDV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF4F44FF-6399-4191-BC6F-1ED794A472F4}]
2008-05-13 17:50 314480 --a------ C:\WINDOWS\System32\tuvUlJba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 13:26 13312]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [ ]
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [ ]
"InstantAccess"="C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe" [2000-01-19 16:43 49152]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 15:51 192512]
"a8b2d445"="C:\WINDOWS\System32\uepjdhro.dll" [ ]
"BMab81e7d9"="C:\WINDOWS\System32\ybkhjbps.dll" [2008-05-12 20:50 90176]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2003-07-16 13:37 51200 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4567AB12-B980-44A5-B259-9B09EBEA6331}"= C:\Program Files\WinAntiSpyware 2007\shellext.dll [ ]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\khfDVLDV.dll [2008-05-11 15:04 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDVLDV]
khfDVLDV.dll 2008-05-11 15:04 25728 C:\WINDOWS\system32\khfDVLDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\tuvUlJba

S3 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe" [2006-11-08 15:21]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 20:18:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\abJlUvut.ini 347 bytes
C:\WINDOWS\system32\abJlUvut.ini2 347 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\khfDVLDV.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\ybkhjbps.dll
-> C:\WINDOWS\System32\tuvUlJba.dll
-> C:\Program Files\TextBridge Pro Millennium\Bin\TBMHOOK.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-13 20:32:01 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-14 03:31:46

Pre-Run: 13,793,415,168 bytes free
Post-Run: 14,618,656,768 bytes free

274
 
HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:53 PM, on 5/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe /h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [a8b2d445] rundll32.exe "C:\WINDOWS\System32\uepjdhro.dll",b
O4 - HKLM\..\Run: [BMab81e7d9] Rundll32.exe "C:\WINDOWS\System32\ybkhjbps.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137299390562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137299378734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8358 bytes
 
uninstall list

Audacity 1.2.6
Citi Virtual Account Numbers
Dell Laser MFP 1600n Software Uninstall
HijackThis 2.0.2
Kaspersky Online Scanner
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
palmOne
Picasa 2
PoiEdit
Spybot - Search & Destroy
TurboTax Home & Business 2007
Windows Media Format Runtime
 
General notes:

It took me so much time, finally, done. Now, my computer has some problems:
1. In the middle of my monitor, It says as follow:
Your computer has several fatal errors due to spyware activity
It is strongly recomended to install an antispyware software to close all security vulnerabilities.
Antispyware software help protect your PC against spyware and other security threats.​
CLICK HERE TO SCAN YOUR PC FOR SPYWARE​

2. Popup Window (name of window: Microsoft internet Explorer):
NOTICE: Your computer is infected......
Do you want to install AntiSpywareMaster to scan your PC for Malware now? (Recommended)​

===> Absolutely, I won't "Click here..." or "install AntiSpywareMaster".
3. When I restart my computer, some error window popup:
"Error loading C:\Windows\System32\ybkhjbps.dll
Invalid access to memory location"
"Error loading C:\Windows\System32\uepjdhro.dll
Invalid access to memory location"​

4. Task manager does not work.
When I hit 3 keys: Ctrl + Alt + Delete, It shows me a message:
"Task manager has been disabled by your administrator"​

I am administrator and I did not disable it. That means it don't let me get in the tast manager.

Thanks
 
Hi,

I suggest that you keep your computer disconnected from the Internet, only connect to print out or save a copy of the fixes and to post back the logs.

Your computer is not up-to-date and to keep it connected will only download more malware than we are able to fix.

Your Uninstall List also looks short. Is that all that is installed on your computer?
_________________________

Please see this topic to disable Symantec Antivirus temporarily - http://www.bleepingcomputer.com/forums/topic114351.html
_________________________

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: 
http://forums.spybot.info/showthread.php?p=191678#post191678

File::
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\default.htm
C:\WINDOWS\BMab81e7d9.xml
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\index.html
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe

Collect::
C:\WINDOWS\system32\mchdqwjo.dll
C:\WINDOWS\system32\gugadmof.exe
C:\WINDOWS\system32\tuvUlJba.dll
C:\WINDOWS\system32\urqPjKBt.dll
C:\WINDOWS\system32\itxiirva.dll
C:\WINDOWS\system32\ybkhjbps.dll
C:\WINDOWS\system32\yydcmhxu.exe
C:\WINDOWS\system32\mruinlfx.dll
C:\WINDOWS\system32\yxgacvey.exe
C:\WINDOWS\system32\lnllsryr.dll
C:\WINDOWS\system32\eutuioip.tmp
C:\WINDOWS\system32\rsvmfbiy.exe
C:\WINDOWS\system32\aebxephs.dll
C:\WINDOWS\system32\jrxukkdg.dll
C:\WINDOWS\system32\tmnqavaq.dll
C:\WINDOWS\system32\eafxxwuk.exe
C:\WINDOWS\system32\hvmaeugy.dll
C:\WINDOWS\system32\cuqbyobq.exe
C:\WINDOWS\system32\emfmwgtq.dll
C:\WINDOWS\system32\imgytdkl.dll
C:\WINDOWS\system32\khfDVLDV.dll
C:\WINDOWS\b2new.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\b152.exe

Folder::
C:\Program Files\RcvSystem
C:\WINDOWS\system32\dFrnx06
C:\Temp\tmpvc14
C:\Program Files\Spcron
C:\Program Files\Svconr
C:\WINDOWS\system32\bkEur01
C:\Program Files\WinAntiSpyware 2007

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8334A30C-49E5-489a-B63D-5B927C1EF46E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9ac70b7-f4f8-41ce-b467-5513b7facb75}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF4F44FF-6399-4191-BC6F-1ED794A472F4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Svconr"=-
"QdrPack16"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a8b2d445"=-
"BMab81e7d9"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4567AB12-B980-44A5-B259-9B09EBEA6331}"=-
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDVLDV]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]

Rootkit::
C:\WINDOWS\system32\abJlUvut.ini
C:\WINDOWS\system32\abJlUvut.ini2

Warning: The above script is just for jamesdang. If you are not jamesdang, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

CFScript.gif


Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

CF-Submit_notice.gif


Click OK.

Copy and paste the file path into the text box next to the Browse button (boxed up in red).

cfsumbit320.png


Click on Send File.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
  3. The Uninstall List (if the previous one was not a complete list)
 
ComboFix log

ComboFix 08-05-12.1 - Owner 2008-05-14 18:37:46.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.406 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\BMab81e7d9.xml
C:\WINDOWS\index.html
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\default.htm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Tuan-Anh\Local Settings\Temporary Internet Files\CPV.stt
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\RcvSystem
C:\Program Files\Spcron
C:\Program Files\Svconr
C:\Temp\tmpvc14
C:\WINDOWS\b104.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\b2new.exe
C:\WINDOWS\BMab81e7d9.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\index.html
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abJlUvut.ini
C:\WINDOWS\system32\abJlUvut.ini2
C:\WINDOWS\system32\aebxephs.dll
C:\WINDOWS\system32\bkEur01
C:\WINDOWS\system32\bwsoesdh.dll
C:\WINDOWS\system32\cecnifba.ini
C:\WINDOWS\system32\cuqbyobq.exe
C:\WINDOWS\system32\default.htm
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\eafxxwuk.exe
C:\WINDOWS\system32\emfmwgtq.dll
C:\WINDOWS\system32\eutuioip.tmp
C:\WINDOWS\system32\gugadmof.exe
C:\WINDOWS\system32\gvcqitrb.ini
C:\WINDOWS\system32\hdseoswb.ini
C:\WINDOWS\system32\hvmaeugy.dll
C:\WINDOWS\system32\imgytdkl.dll
C:\WINDOWS\system32\itxiirva.dll
C:\WINDOWS\system32\jrxukkdg.dll
C:\WINDOWS\system32\khfDVLDV.dll
C:\WINDOWS\system32\lnllsryr.dll
C:\WINDOWS\system32\lUCegMoq.ini
C:\WINDOWS\system32\lUCegMoq.ini2
C:\WINDOWS\system32\mchdqwjo.dll
C:\WINDOWS\system32\mruinlfx.dll
C:\WINDOWS\system32\mvflgvrg.ini
C:\WINDOWS\system32\oqhtecis.ini
C:\WINDOWS\system32\oUtuwyxx.ini
C:\WINDOWS\system32\oUtuwyxx.ini2
C:\WINDOWS\system32\rsvmfbiy.exe
C:\WINDOWS\system32\tmnqavaq.dll
C:\WINDOWS\system32\tuvUlJba.dll
C:\WINDOWS\system32\urqPjKBt.dll
C:\WINDOWS\system32\ybkhjbps.dll
C:\WINDOWS\system32\yxgacvey.exe
C:\WINDOWS\system32\yydcmhxu.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-14 17:51 . 2008-05-14 17:51 98,928 --a------ C:\WINDOWS\system32\xujbcfhw.dll
2008-05-14 17:46 . 2008-05-14 17:46 90,208 --a------ C:\WINDOWS\system32\rtnalxuh.dll
2008-05-14 17:46 . 2008-05-14 17:46 2,048 --a------ C:\WINDOWS\system32\heysqwbs.exe
2008-05-14 17:45 . 2008-05-14 17:45 314,448 --a------ C:\WINDOWS\system32\xxywutUo.dll
2008-05-14 01:16 . 2008-05-14 01:16 2,112 --a------ C:\WINDOWS\system32\irxumptp.exe
2008-05-14 01:13 . 2008-05-14 01:13 99,008 --a------ C:\WINDOWS\system32\jxuhwvks.dll
2008-05-14 01:13 . 2008-05-14 01:13 90,304 --a------ C:\WINDOWS\system32\jmowyrxk.dll
2008-05-14 01:02 . 2008-05-14 01:02 99,008 --a------ C:\WINDOWS\system32\aprngklv.dll
2008-05-14 01:00 . 2008-05-14 01:00 2,112 --a------ C:\WINDOWS\system32\loqrkfbt.exe
2008-05-14 00:59 . 2008-05-14 00:59 90,304 --a------ C:\WINDOWS\system32\lplgofia.dll
2008-05-14 00:25 . 2008-05-14 00:25 99,008 --a------ C:\WINDOWS\system32\ysmiiyuu.dll
2008-05-14 00:23 . 2008-05-14 00:23 90,304 --a------ C:\WINDOWS\system32\xksfstda.dll
2008-05-14 00:23 . 2008-05-14 00:23 2,112 --a------ C:\WINDOWS\system32\uetberyh.exe
2008-05-13 21:15 . 2008-05-13 21:15 99,008 --a------ C:\WINDOWS\system32\ukeyddbf.dll
2008-05-13 21:13 . 2008-05-13 21:13 90,304 --a------ C:\WINDOWS\system32\uojigcjk.dll
2008-05-13 21:13 . 2008-05-13 21:13 2,112 --a------ C:\WINDOWS\system32\lmhlpwgm.exe
2008-05-13 21:12 . 2008-05-13 21:12 314,480 --a------ C:\WINDOWS\system32\qoMgeCUl.dll
2008-05-13 20:37 . 2008-05-13 20:37 15,784 --a------ C:\Temp\combofix copy.txt
2008-05-05 18:32 . 2008-05-05 18:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 18:32 . 2008-05-05 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 21:17 . 2008-05-04 21:17 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-04 19:22 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-04 19:22 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-04 19:22 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 01:51 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-14 03:03 --------- d-----w C:\Program Files\TomTom HOME
2008-05-10 17:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-03 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-24 03:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-04-13 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-13 18:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intuit
2007-05-24 02:04 7,248 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2007-05-19 00:32 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-05-19 00:32 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-13_20.31.19.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 03:15:17 2,048 ----a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 01:50:14 2,048 ----a-w C:\WINDOWS\bootstat.dat
- 2008-05-14 00:44:01 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-15 00:35:17 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-14 00:44:01 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-15 00:35:17 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-15 01:50:45 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1661446f-5bdc-437c-aed9-30651f0465b7}]
2008-05-14 17:51 98928 --a------ C:\WINDOWS\System32\xujbcfhw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D16AC370-D375-4A66-99EC-C107854FD35E}]
2008-05-13 21:12 314480 --a------ C:\WINDOWS\System32\qoMgeCUl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FEAB4A44-457C-4841-BA0D-1EAC4F85326D}]
2008-05-14 17:45 314448 --a------ C:\WINDOWS\System32\xxywutUo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 13:26 13312]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [ ]
"InstantAccess"="C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe" [2000-01-19 16:43 49152]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 15:51 192512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2003-07-16 13:37 51200 C:\WINDOWS\system32\narrator.exe]

S3 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe" [2006-11-08 15:21]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 18:52:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-14 19:04:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 02:04:50
ComboFix2.txt 2008-05-14 03:32:03

Pre-Run: 14,578,831,360 bytes free
Post-Run: 14,579,511,296 bytes free

192
 
HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:57 PM, on 5/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {7b5640f1-5603-9dea-c734-cdb5f6441661} - {1661446f-5bdc-437c-aed9-30651f0465b7} - C:\WINDOWS\System32\xujbcfhw.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D16AC370-D375-4A66-99EC-C107854FD35E} - C:\WINDOWS\System32\qoMgeCUl.dll
O2 - BHO: (no name) - {FEAB4A44-457C-4841-BA0D-1EAC4F85326D} - C:\WINDOWS\System32\xxywutUo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe /h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137299390562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137299378734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8646 bytes
 
uninstall_list. That's all. Not different with the first.

Audacity 1.2.6
Citi Virtual Account Numbers
Dell Laser MFP 1600n Software Uninstall
HijackThis 2.0.2
Kaspersky Online Scanner
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
palmOne
Picasa 2
PoiEdit
Spybot - Search & Destroy
TurboTax Home & Business 2007
Windows Media Format Runtime
 
Status after doing this.

Only one thing is still happening is popup internet explorer "antivirusmater" and popup window microsoft internet explorer asking "...would you like to install AdvanceCleaner..."
 
Hi,

Again, please keep your computer disconnected from the Internet, other than to print or save a copy of the fix and post the logs.

Step 1

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: 
File::
C:\WINDOWS\system32\xujbcfhw.dll
C:\WINDOWS\system32\rtnalxuh.dll
C:\WINDOWS\system32\heysqwbs.exe
C:\WINDOWS\system32\xxywutUo.dll
C:\WINDOWS\system32\irxumptp.exe
C:\WINDOWS\system32\jxuhwvks.dll
C:\WINDOWS\system32\jmowyrxk.dll
C:\WINDOWS\system32\aprngklv.dll
C:\WINDOWS\system32\loqrkfbt.exe
C:\WINDOWS\system32\lplgofia.dll
C:\WINDOWS\system32\ysmiiyuu.dll
C:\WINDOWS\system32\xksfstda.dll
C:\WINDOWS\system32\uetberyh.exe
C:\WINDOWS\system32\ukeyddbf.dll
C:\WINDOWS\system32\uojigcjk.dll
C:\WINDOWS\system32\lmhlpwgm.exe
C:\WINDOWS\system32\qoMgeCUl.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1661446f-5bdc-437c-aed9-30651f0465b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D16AC370-D375-4A66-99EC-C107854FD35E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FEAB4A44-457C-4841-BA0D-1EAC4F85326D}]

Warning: The above script is just for jamesdang. If you are not jamesdang, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

CFScript.gif


Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 2

Please open a new Notepad file and copy and paste the following in the Code box into Notepad:

Code: 
@echo off
echo Log file can be found at C:\results.txt if Notepad doesn't open automatically.
dir /s ip6fw.sys >> C:\results.txt
dir /s /a:h ip6fw.sys >> C:\results.txt
notepad C:\results.txt

Click on File > Save As....

In the File Name box, copy and paste in look.bat

In the Save As Type box, select All Files from the drop-down list.

Click Save.

Double click on look.bat to run it. Command Prompt will open, followed by Notepad shortly afterwards. Please post the contents of this Notepad file in your next reply.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. Contents of Notepad file from Step 2 (C:\results.txt)
  3. A new HijackThis log
 
ComboFix log

ComboFix 08-05-12.1 - Owner 2008-05-15 18:45:58.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.404 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\aprngklv.dll
C:\WINDOWS\system32\heysqwbs.exe
C:\WINDOWS\system32\irxumptp.exe
C:\WINDOWS\system32\jmowyrxk.dll
C:\WINDOWS\system32\jxuhwvks.dll
C:\WINDOWS\system32\lmhlpwgm.exe
C:\WINDOWS\system32\loqrkfbt.exe
C:\WINDOWS\system32\lplgofia.dll
C:\WINDOWS\system32\qoMgeCUl.dll
C:\WINDOWS\system32\rtnalxuh.dll
C:\WINDOWS\system32\uetberyh.exe
C:\WINDOWS\system32\ukeyddbf.dll
C:\WINDOWS\system32\uojigcjk.dll
C:\WINDOWS\system32\xksfstda.dll
C:\WINDOWS\system32\xujbcfhw.dll
C:\WINDOWS\system32\xxywutUo.dll
C:\WINDOWS\system32\ysmiiyuu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aprngklv.dll
C:\WINDOWS\system32\heysqwbs.exe
C:\WINDOWS\system32\irxumptp.exe
C:\WINDOWS\system32\jmowyrxk.dll
C:\WINDOWS\system32\jxuhwvks.dll
C:\WINDOWS\system32\lmhlpwgm.exe
C:\WINDOWS\system32\loqrkfbt.exe
C:\WINDOWS\system32\lplgofia.dll
C:\WINDOWS\system32\lUCegMoq.ini
C:\WINDOWS\system32\lUCegMoq.ini2
C:\WINDOWS\system32\ogwcfait.ini
C:\WINDOWS\system32\oUtuwyxx.ini
C:\WINDOWS\system32\oUtuwyxx.ini2
C:\WINDOWS\system32\qoMgeCUl.dll
C:\WINDOWS\system32\rtnalxuh.dll
C:\WINDOWS\system32\tiafcwgo.dll
C:\WINDOWS\system32\uetberyh.exe
C:\WINDOWS\system32\ukeyddbf.dll
C:\WINDOWS\system32\uojigcjk.dll
C:\WINDOWS\system32\xksfstda.dll
C:\WINDOWS\system32\xujbcfhw.dll
C:\WINDOWS\system32\xxywutUo.dll
C:\WINDOWS\system32\ysmiiyuu.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-14 20:03 . 2008-05-14 20:03 98,992 --a------ C:\WINDOWS\system32\kardufgm.dll
2008-05-14 20:01 . 2008-05-14 20:20 109,831 --a------ C:\WINDOWS\BMab81e7d9.xml
2008-05-14 20:01 . 2008-05-14 20:01 90,272 --a------ C:\WINDOWS\system32\fnlcpwhn.dll
2008-05-14 20:01 . 2008-05-14 20:01 2,112 --a------ C:\WINDOWS\system32\agpwyuwk.exe
2008-05-13 20:37 . 2008-05-13 20:37 15,784 --a------ C:\Temp\combofix copy.txt
2008-05-05 18:32 . 2008-05-05 18:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 18:32 . 2008-05-05 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 21:17 . 2008-05-04 21:17 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-04 19:22 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-04 19:22 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-04 19:22 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 01:54 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-10 17:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-03 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-24 03:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-04-13 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-13 18:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intuit
2007-05-24 02:04 7,248 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2007-05-19 00:32 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-05-19 00:32 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-13_20.31.19.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 03:15:17 2,048 ----a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 01:53:57 2,048 ----a-w C:\WINDOWS\bootstat.dat
- 2008-05-14 00:44:01 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-16 01:27:30 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-14 00:44:01 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-16 01:27:30 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-16 01:27:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-16 01:54:13 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_468.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4d012a9-bad8-492d-8344-a469e14c531f}]
2008-05-14 20:03 98992 --a------ C:\WINDOWS\System32\kardufgm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 13:26 13312]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16 4670968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [ ]
"InstantAccess"="C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe" [2000-01-19 16:43 49152]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 15:51 192512]
"BMab81e7d9"="C:\WINDOWS\System32\fnlcpwhn.dll" [2008-05-14 20:01 90272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2003-07-16 13:37 51200 C:\WINDOWS\system32\narrator.exe]

S3 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe" [2006-11-08 15:21]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 20:07:32
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\TextBridge Pro Millennium\Bin\TBMHOOK.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-15 20:21:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 03:21:20
ComboFix2.txt 2008-05-15 02:04:57
ComboFix3.txt 2008-05-14 03:32:03

Pre-Run: 16,963,932,160 bytes free
Post-Run: 17,111,773,184 bytes free

162
 
Results.txt (that's all).

Volume in drive C is James
Volume Serial Number is A8B2-D4EA
Volume in drive C is James
Volume Serial Number is A8B2-D4EA
 
HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:48 PM, on 5/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {f135c41e-964a-4438-d294-8dab9a210d4f} - {f4d012a9-bad8-492d-8344-a469e14c531f} - C:\WINDOWS\System32\kardufgm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe /h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [BMab81e7d9] Rundll32.exe "C:\WINDOWS\System32\fnlcpwhn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137299390562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137299378734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8500 bytes
 
Thanks for your help.

Hi, ndmmxiaomayi
There are still some problems remained:
1. When restart computer, popup window
Rundll
Error loading C:\windows\system32\fnlcpwhn.dll
Invalid access to memory location​
2. Internet explorer window still popup, examples:
ToseekA
www. thestreet.com/.../advertise/...
 
Hi,

Your logs are looking better now. :) Hopefully the first issue can be resolved soon when it is removed from startup.

For the second issue, we will deal with it later.

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: 
File::
C:\WINDOWS\system32\kardufgm.dll
C:\WINDOWS\BMab81e7d9.xml
C:\WINDOWS\system32\fnlcpwhn.dll
C:\WINDOWS\system32\agpwyuwk.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f4d012a9-bad8-492d-8344-a469e14c531f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMab81e7d9"=-

Warning: The above script is just for jamesdang. If you are not jamesdang, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

CFScript.gif


Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
 
Combofix log

ComboFix 08-05-12.1 - Owner 2008-05-16 19:26:54.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.389 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMab81e7d9.xml
C:\WINDOWS\system32\agpwyuwk.exe
C:\WINDOWS\system32\fnlcpwhn.dll
C:\WINDOWS\system32\kardufgm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\BMab81e7d9.xml
C:\WINDOWS\system32\agpwyuwk.exe
C:\WINDOWS\system32\fnlcpwhn.dll
C:\WINDOWS\system32\kardufgm.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-13 20:37 . 2008-05-13 20:37 15,784 --a------ C:\Temp\combofix copy.txt
2008-05-05 18:32 . 2008-05-05 18:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 18:32 . 2008-05-05 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 21:17 . 2008-05-04 21:17 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-04 19:22 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-04 19:22 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-04 19:22 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-04 19:22 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 02:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-10 17:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-03 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-24 03:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-04-13 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-13 18:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intuit
2007-05-24 02:04 7,248 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2007-05-19 00:32 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-05-19 00:32 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-13_20.31.19.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 03:15:17 2,048 ----a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 02:23:12 2,048 ----a-w C:\WINDOWS\bootstat.dat
- 2008-05-14 00:44:01 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-17 02:23:13 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-14 00:44:01 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-17 02:23:13 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-17 02:23:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-17 02:23:43 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_36c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 13:26 13312]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16 4670968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52 122880]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [ ]
"InstantAccess"="C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe" [2000-01-19 16:43 49152]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 15:51 192512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2003-07-16 13:37 51200 C:\WINDOWS\system32\narrator.exe]

S3 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe" [2006-11-08 15:21]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 19:31:00
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-16 19:36:32
ComboFix-quarantined-files.txt 2008-05-17 02:35:47
ComboFix2.txt 2008-05-16 03:21:27
ComboFix3.txt 2008-05-15 02:04:57
ComboFix4.txt 2008-05-14 03:32:03

Pre-Run: 17,048,080,384 bytes free
Post-Run: 17,038,680,064 bytes free

106
 
HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:57 PM, on 5/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\TextBridge Pro Millennium\Bin\InstantAccess.exe /h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137299390562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137299378734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8271 bytes
 
You must log in or register to reply here.
Back
Top