Online Security Guide, Live Safety Center & more

[knappster_1]

I ran Kaspersky again last night. There are network paths and folders that include people's names, so I am going to post only the infected files similarly to the way I did before. If you need more information, I can send that to you privately, just let me know. I have included a little bit more information than last time.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-28 07:38
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/11/2007
Kaspersky Anti-Virus database records: 467164
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
M:\
O:\
T:\
U:\
V:\
X:\

Scan Statistics:
Total number of scanned objects: 932244
Number of viruses found: 6
Number of infected objects: 9
Number of suspicious objects: 5
Duration of the scan process: 06:05:45

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06300001.VBN Infected: Trojan-Dropper.Win32.Agent.chq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06300002.VBN Infected: not-a-virusownloader.Win32.WinFixer.au skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP14\A0000938.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A0000338.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
[network shared path omitted]\pk263wsp(1).exe/TSADBOT.EXE Infected: not-a-virus:AdWare.Win32.TimeSink skipped
[network shared path omitted]\\pk263wsp(1).exe ZIP: infected - 1 skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx/[From ***** <*****@*****>][Date Sat, 27 Oct 2001 23:39:05 -0400]/UNNAMED/CMMPU.EXE Infected: Email-Worm.Win32.Magistr.a skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx/[From ****** <*****.*****>][Date Sat, 27 Oct 2001 23:39:05 -0400]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 2 skipped
T:\Media\Drawings\~DIB0617.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB0708.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB087E.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB0970.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB1026.TMP Suspicious: Exploit.Win32.IMG-BMP skipped

Scan process completed.

 

[steamwiz]

Hi

My Apologies for missing that you had posted the KASPERSKY entries ...

The infected files are in 3 locations :-

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

You need to empty your Quarantine folder ...

-
C:\System Volume Information\_restore

For this you need to purge your restore points ...

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

-
& these :-

[network shared path omitted]\pk263wsp(1).exe/TSADBOT.EXE Infected: not-a-virus:AdWare.Win32.TimeSink skipped
[network shared path omitted]\\pk263wsp(1).exe ZIP: infected - 1 skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx/[From ***** <*****@*****>][Date Sat, 27 Oct 2001 23:39:05 -0400]/UNNAMED/CMMPU.EXE Infected: Email-Worm.Win32.Magistr.a skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx/[From ****** <*****.*****>][Date Sat, 27 Oct 2001 23:39:05 -0400]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
[network shared path omitted]\backup\outlook\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 2 skipped

AS you have edited the path (& I don't want you to post anything you consider private/sensitive) you need to delete these :-

[network shared path omitted]\pk263wsp(1).exe
[network shared path omitted]\\pk263wsp(1).exe ZIP

& the others which are infected e-mail attachments ..

-
Your RAM is OK as windows reports it ...

Total Physical memory: 512.00 MB

-
The Combofix log you posted is the oldest one ...

Combofix2.txt run on 2007-11-19 @ 7:59:07

Combofix1.txt would be newer ...

But Combofix.txt (with NO number is the newest on, & the one I would like to see (if you have one)

After doing the above, please run a new KASPERSKY scan ...

steam

 

[knappster_1]

No need to apologize, I had posted that quite a bit later than the earlier posts, and just a few minutes before your post (because I had to run Kaspersky the 2nd time to get the log). Unfortunately the ComboFix2.txt is the only log file there. Currently the suspicious files that Kaspersky found are:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-29 07:38
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 467918
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
M:\
O:\
T:\
U:\
V:\
X:\

Scan Statistics:
Total number of scanned objects: 930452
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 5
Duration of the scan process: 05:31:02

Infected Object Name / Virus Name / Last Action
T:\Media\Drawings\~DIB0617.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB0708.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB087E.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB0970.TMP Suspicious: Exploit.Win32.IMG-BMP skipped
T:\Media\Drawings\~DIB1026.TMP Suspicious: Exploit.Win32.IMG-BMP skipped

 

[steamwiz]

HI

Ignore the fact that it says ... Number of viruses found: 1

It is referring to the "Suspicious" entries, which are not necessarily malicious ...

There is very little reference on the net to that particular exploit, & no description ...

Having said that, .TMP files are meant to be executed and then deleted ... so if you don't know what they are, I would recommend deleting them ...

Then as that should take care of all the malware we can see, I would like you to delete any version of Combofix that you have & try once again with the newest version :-

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

cheers

steam

 

[knappster_1]

I had to try a couple of times with ComboFix, but I did get it to finish. I just ran it without dragging any textfile onto it. Here's the log:

ComboFix 07-11-30.7 - rollin 2007-11-30 8:16:58.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.123 [GMT -6:00]
Running from: C:\Documents and Settings\rollin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-27 16:49 . 2007-11-27 16:49 885 --a------ C:\backup.reg
2007-11-27 16:45 . 2007-11-27 16:45 126,976 --a------ C:\zip.exe
2007-11-27 16:45 . 2007-11-27 16:45 845 --a------ C:\avexport.bat
2007-11-26 14:52 . 2007-11-26 14:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 14:52 . 2007-11-26 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 14:54 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-21 14:53 . 2007-11-21 14:54 <DIR> d-------- C:\Program Files\Java
2007-11-21 14:49 . 2007-11-21 14:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-21 14:46 . 2007-11-21 14:46 0 --a------ C:\WINDOWS\mozver.dat
2007-11-21 09:44 . 2007-11-26 19:10 <DIR> d-------- C:\VundoFix Backups
2007-11-21 08:38 . 2007-11-21 08:38 714,281 ---hs---- C:\WINDOWS\SYSTEM32\kccvrstq.ini
2007-11-20 07:40 . 2007-11-20 16:10 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-19 09:17 . 2007-11-19 15:43 685,703 ---hs---- C:\WINDOWS\SYSTEM32\btyhvdet.ini
2007-11-19 07:24 . 2007-11-19 07:24 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-11-18 11:54 . 2007-11-18 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 11:53 . 2007-11-19 08:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 11:53 . 2007-11-18 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 11:53 . 2007-11-18 11:53 <DIR> d-------- C:\Documents and Settings\rollin\Application Data\SUPERAntiSpyware.com
2007-11-17 09:39 . 2007-11-17 11:47 678,040 ---hs---- C:\WINDOWS\SYSTEM32\kmoqquov.ini
2007-11-16 10:36 . 2007-11-17 11:50 401 --a------ C:\WINDOWS\wininit.ini
2007-11-16 10:21 . 2007-11-16 10:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-16 09:50 . 2007-11-17 09:39 675,358 ---hs---- C:\WINDOWS\SYSTEM32\ljrnfywl.ini
2007-11-06 08:38 . 2006-06-06 14:20 241,721 --a------ C:\WINDOWS\SYSTEM32\HPBMINI.DLL
2007-11-06 08:38 . 2007-02-13 20:23 103,424 --a------ C:\WINDOWS\SYSTEM32\hpzpnp.dll
2007-11-06 08:38 . 2004-10-16 05:31 61,440 --a------ C:\WINDOWS\SYSTEM32\HPNRA.EXE
2007-11-06 08:38 . 2006-05-11 18:15 52,736 --a------ C:\WINDOWS\SYSTEM32\HPZIPM12.DLL
2007-11-06 08:38 . 2006-05-11 18:15 43,520 --a------ C:\WINDOWS\SYSTEM32\HPZINW12.DLL
2007-11-06 08:38 . 2006-11-16 19:16 38,912 --a------ C:\WINDOWS\SYSTEM32\HPBPRO.DLL
2007-11-06 08:38 . 2006-11-16 19:15 25,600 --a------ C:\WINDOWS\SYSTEM32\HPBOID.DLL
2007-11-06 08:38 . 2006-11-02 19:32 18,747 --a------ C:\WINDOWS\SYSTEM32\hpceac06.hpi
2007-11-06 08:37 . 2007-11-06 08:37 <DIR> d-------- C:\HP LJ4x50 Series
2007-10-12 08:48 . 2007-10-12 08:48 37 --a------ C:\WINDOWS\PVX.INI
2007-10-10 07:21 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 14:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-16 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 14:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 13:50 --------- d-----w C:\Program Files\FedEx
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-08-21 17:44 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 17:44 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 16:20 60,968 ----a-w C:\Documents and Settings\rollin\GoToAssistDownloadHelper.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-08 22:30 19,456 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
2007-08-03 00:11 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
2007-08-03 00:11 241,664 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
2007-06-07 17:49 2 ----a-w C:\Documents and Settings\administrator.GO4B\WSSEMAPHORES.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-19_ 7.52.31.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 22:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 09:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
- 2004-01-16 13:42:47 24,670 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2004-01-16 13:42:47 28,768 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-07-27 21:49:02 196,683 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 21:49:02 225,355 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 02:25:22 139,264 ----a-w C:\WINDOWS\SYSTEM32\lnod32umc.dll
+ 2005-12-05 19:37:10 106,496 ----a-w C:\WINDOWS\SYSTEM32\lnod32upd.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-20 15:37:24 45,218 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2007-06-13 17:10:34 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{045FC74F-E48D-4DB7-B38A-764715043D43}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C0FF94A-DC57-4B9B-8984-73E443EA415C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78A2ED6E-7085-4FF3-A382-8B9310871AC4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-15 14:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-06-23 18:27]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2006-01-20 10:46]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"NA1Messenger"="C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [2007-03-23 22:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-24 09:57:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\Messages\WSTDMessaging.exe [2007-02-07 02:33:26]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-02-07 01:27:28]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 08:23:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-30 8:25:17
C:\ComboFix2.txt ... 2007-11-19 07:59
.
--- E O F ---

 

[steamwiz]

Hi

Did you make the script you tried to drop into Combofix with NOTEPAD .. not any other text editor, NOT Wordpad for instance ?

Please try again with this one ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\SYSTEM32\kccvrstq.ini
C:\WINDOWS\SYSTEM32\btyhvdet.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\kmoqquov.ini
C:\WINDOWS\SYSTEM32\ljrnfywl.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{045FC74F-E48D-4DB7-B38A-764715043D43}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C0FF94A-DC57-4B9B-8984-73E443EA415C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{295DB863-5B9F-451B-B850-B75B8FAF4E7D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78A2ED6E-7085-4FF3-A382-8B9310871AC4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD82EC86-537D-47FC-99AD-F24228F65B51}]

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

 

[knappster_1]

I've been using notepad every time, but this time it finally worked! Here is the log:

ComboFix 07-11-30.7 - rollin 2007-11-30 15:55:07.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.171 [GMT -6:00]
Running from: C:\Documents and Settings\rollin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rollin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\btyhvdet.ini
C:\WINDOWS\SYSTEM32\kccvrstq.ini
C:\WINDOWS\SYSTEM32\kmoqquov.ini
C:\WINDOWS\SYSTEM32\ljrnfywl.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\btyhvdet.ini
C:\WINDOWS\SYSTEM32\kccvrstq.ini
C:\WINDOWS\SYSTEM32\kmoqquov.ini
C:\WINDOWS\SYSTEM32\ljrnfywl.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-27 16:49 . 2007-11-27 16:49 885 --a------ C:\backup.reg
2007-11-27 16:45 . 2007-11-27 16:45 126,976 --a------ C:\zip.exe
2007-11-27 16:45 . 2007-11-27 16:45 845 --a------ C:\avexport.bat
2007-11-26 14:52 . 2007-11-26 14:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 14:52 . 2007-11-26 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 14:54 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-21 14:53 . 2007-11-21 14:54 <DIR> d-------- C:\Program Files\Java
2007-11-21 14:49 . 2007-11-21 14:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-21 14:46 . 2007-11-21 14:46 0 --a------ C:\WINDOWS\mozver.dat
2007-11-21 09:44 . 2007-11-26 19:10 <DIR> d-------- C:\VundoFix Backups
2007-11-20 07:40 . 2007-11-20 16:10 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-18 11:54 . 2007-11-18 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 11:53 . 2007-11-19 08:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 11:53 . 2007-11-18 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 11:53 . 2007-11-18 11:53 <DIR> d-------- C:\Documents and Settings\rollin\Application Data\SUPERAntiSpyware.com
2007-11-16 10:36 . 2007-11-17 11:50 401 --a------ C:\WINDOWS\wininit.ini
2007-11-16 10:21 . 2007-11-16 10:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-06 08:38 . 2006-06-06 14:20 241,721 --a------ C:\WINDOWS\SYSTEM32\HPBMINI.DLL
2007-11-06 08:38 . 2007-02-13 20:23 103,424 --a------ C:\WINDOWS\SYSTEM32\hpzpnp.dll
2007-11-06 08:38 . 2004-10-16 05:31 61,440 --a------ C:\WINDOWS\SYSTEM32\HPNRA.EXE
2007-11-06 08:38 . 2006-05-11 18:15 52,736 --a------ C:\WINDOWS\SYSTEM32\HPZIPM12.DLL
2007-11-06 08:38 . 2006-05-11 18:15 43,520 --a------ C:\WINDOWS\SYSTEM32\HPZINW12.DLL
2007-11-06 08:38 . 2006-11-16 19:16 38,912 --a------ C:\WINDOWS\SYSTEM32\HPBPRO.DLL
2007-11-06 08:38 . 2006-11-16 19:15 25,600 --a------ C:\WINDOWS\SYSTEM32\HPBOID.DLL
2007-11-06 08:38 . 2006-11-02 19:32 18,747 --a------ C:\WINDOWS\SYSTEM32\hpceac06.hpi
2007-11-06 08:37 . 2007-11-06 08:37 <DIR> d-------- C:\HP LJ4x50 Series
2007-10-12 08:48 . 2007-10-12 08:48 37 --a------ C:\WINDOWS\PVX.INI
2007-10-10 07:21 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 14:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-16 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 14:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 13:50 --------- d-----w C:\Program Files\FedEx
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-08-21 17:44 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-21 17:44 249,856 ------w C:\WINDOWS\Setup1.exe
2007-08-21 16:20 60,968 ----a-w C:\Documents and Settings\rollin\GoToAssistDownloadHelper.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-08 22:30 19,456 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
2007-08-03 00:11 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
2007-08-03 00:11 241,664 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
2007-06-07 17:49 2 ----a-w C:\Documents and Settings\administrator.GO4B\WSSEMAPHORES.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-19_ 7.52.31.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 22:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-27 09:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
- 2004-01-16 13:42:47 24,670 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2004-01-16 13:42:47 28,768 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-07-27 21:49:02 196,683 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiA.dll
+ 2007-07-27 21:49:02 225,355 ----a-w C:\WINDOWS\SYSTEM32\lnod32apiW.dll
+ 2005-12-06 02:25:22 139,264 ----a-w C:\WINDOWS\SYSTEM32\lnod32umc.dll
+ 2005-12-05 19:37:10 106,496 ----a-w C:\WINDOWS\SYSTEM32\lnod32upd.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-20 15:37:24 45,218 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
+ 2007-06-13 17:10:34 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-15 14:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2005-06-23 18:27]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2006-01-20 10:46]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 01:56]
"NA1Messenger"="C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe" [2007-03-23 22:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-01-24 09:57:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 09:05:56]
UPS WorldShip Messaging Utility.lnk - C:\UPS\WSTD\Messages\WSTDMessaging.exe [2007-02-07 02:33:26]
UPS WorldShip PLD Reminder Utility.lnk - C:\UPS\WSTD\wstdPldReminder.exe [2007-02-07 01:27:28]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 15:59:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-30 16:00:31
C:\ComboFix2.txt ... 2007-11-30 08:25
C:\ComboFix3.txt ... 2007-11-19 07:59
.
--- E O F ---

 

[knappster_1]

Sorry steam, I forgot to post the HJT log earlier. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:51 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\UPS\WSTD\Messages\WSTDMessaging.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\UPS\WSTD\WorldShipTD.exe
C:\UPS\WSTD\upslnkmg.exe
c:\ups\wstd\tdrptsrv.exe
C:\Documents and Settings\rollin\Desktop\Problems.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\PolicyMgr\NA1Msgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\Messages\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1513b40d4621f5c71520/netzip/RdxIE601.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\Software\..\Telephony: DomainName = go4b.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = go4b.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = go4b.com
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8253 bytes

 

[steamwiz]

Hi

Hijackthis & Combofix are now clean ...

Are your problems resolved ?

If you have no further questions or concerns .... Happy surfing

steam

 

[knappster_1]

Yeah, the problems appear to have been fixed. Thanks a lot for your help steam. Happy hunting :bigthumb:

 

[steamwiz]

You're very welcome

steam