smitfraud

[Shaba]

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\mdedmflg.ini
C:\WINDOWS\system32\kihvhbxk.ini
C:\WINDOWS\system32\kycnkbuh.ini
C:\WINDOWS\system32\wavuosre.ini
C:\WINDOWS\system32\pxnhabof.ini
C:\WINDOWS\system32\jkloietj.ini
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\fmpifcfs.exe
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\wkldxmiv.ini
C:\Documents and Settings\nancy\3151.bat
C:\Documents and Settings\nancy\Desktop\utorrent.exe

Folder::
C:\WINDOWS\system32\winf
C:\WINDOWS\system32\UES
C:\WINDOWS\system32\p
C:\WINDOWS\system32\np5
C:\WINDOWS\system32\mC02
C:\temp\mtc2
C:\Program Files\hxdmjaf
C:\Program Files\Applications
C:\Documents and Settings\All Users\Application Data\mbqhmbcv
C:\Documents and Settings\nancy\Application Data\uTorrent
C:\WINDOWS\system32\EV02
C:\temp\xp34

Driver::
oflpydin

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=-
"SetEn"=-
"StrUtil"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"genensh"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"a496ad42"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0349ac28-2945-11dd-ad90-e1fb8d0daab6}]

Save this as "[b]CFScript[/b]"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

[img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img]

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of [b]Combofix.txt[/b] in your next reply together with a new HijackThis log.

[color=red]Combofix should never take more that 20 minutes including the reboot if malware is detected.[/color]
If it does, open [b]Task Manager[/b] then [b]Processes[/b] tab (press ctrl, alt and del at the same time) and end any processes of [b]findstr, find, sed or swreg[/b], then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[cobra1]

ComboFix 08-10-12.01 - nancy 2008-10-18 14:33:22.4 - NTFSx86
Running from: C:\Documents and Settings\nancy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nancy\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\mbqhmbcv
C:\Program Files\Applications
C:\Program Files\hxdmjaf
C:\Program Files\hxdmjaf\genensh.dll
C:\temp\mtc2
C:\temp\mtc2\h5v.log
C:\temp\xp34
C:\temp\xp34\cPH.log
C:\WINDOWS\system32\EV02
C:\WINDOWS\system32\mC02
C:\WINDOWS\system32\np5
C:\WINDOWS\system32\p
C:\WINDOWS\system32\UES
C:\WINDOWS\system32\UES\dx6tb3.exe
C:\WINDOWS\system32\winf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OFLPYDIN
-------\Service_oflpydin


((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2008-10-17 20:43 . 2008-10-17 20:43 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-10-17 20:43 . 2008-10-17 20:43 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-10-12 01:13 . 2008-10-12 01:13 <DIR> d-------- C:\695d627f403feaa5dbe1
2008-10-11 22:36 . 2008-10-11 22:36 86,016 --a------ C:\WINDOWS\system32\evcjargp.exe
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a------ C:\WINDOWS\system32\drivers\disk.sys
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a--c--- C:\WINDOWS\system32\dllcache\disk.sys
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Program Files\Avira
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-07 18:58 . 2008-10-09 19:10 8,704 --a------ C:\WINDOWS\system32\smwin32.dll
2008-10-05 19:18 . 2008-10-05 19:18 121 --ahs---- C:\WINDOWS\system32\wkldxmiv.ini
2008-10-04 23:29 . 2008-10-04 23:33 122 --ahs---- C:\WINDOWS\system32\mdedmflg.ini
2008-10-04 16:44 . 2008-10-04 16:44 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-10-03 18:48 . 2004-08-04 03:56 24,576 --a------ C:\WINDOWS\system32\stus.exe
2008-09-28 16:31 . 2008-09-28 16:31 121 --ahs---- C:\WINDOWS\system32\bwwctmqe.ini
2008-09-27 20:04 . 2008-10-02 19:53 <DIR> d-------- C:\rsit
2008-09-26 19:31 . 2008-09-26 19:32 38,880 --ahs---- C:\WINDOWS\system32\kihvhbxk.ini
2008-09-25 20:22 . 2008-09-26 19:12 38,880 --ahs---- C:\WINDOWS\system32\kycnkbuh.ini
2008-09-24 22:41 . 2008-09-25 20:13 1,171 --ahs---- C:\WINDOWS\system32\wavuosre.ini
2008-09-24 20:57 . 2008-09-24 20:57 699 --ahs---- C:\WINDOWS\system32\pxnhabof.ini
2008-09-24 18:53 . 2008-09-24 20:36 527 --ahs---- C:\WINDOWS\system32\jkloietj.ini
2008-09-22 18:07 . 2008-09-22 18:07 3,752 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-21 23:21 . 2008-09-21 23:21 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-21 15:50 . 2008-09-21 15:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-20 18:06 . 2008-09-20 18:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-18 22:11 . 2008-09-22 17:54 345 --ahs---- C:\WINDOWS\system32\dddJlRCf.ini
2008-09-18 19:03 . 2008-09-18 19:03 71 --a------ C:\Documents and Settings\nancy\3151.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 00:42 --------- d-----w C:\Documents and Settings\nancy\Application Data\OpenOffice.org2
2008-10-15 22:53 --------- d-----w C:\Program Files\GameBiz2
2008-10-15 00:45 21,504 ----a-w C:\Documents and Settings\nancy\39dll.dll
2008-10-15 00:45 157,696 ----a-w C:\Documents and Settings\nancy\supersound.dll
2008-10-14 02:27 --------- d-----w C:\Documents and Settings\nancy\Application Data\Free Download Manager
2008-10-02 00:32 --------- d-----w C:\Program Files\The Tower of Babel
2008-09-25 23:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 00:28 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-09-22 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-21 18:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-20 16:40 --------- d-----w C:\Program Files\Phun
2008-09-12 20:36 --------- d-----w C:\Program Files\Galactic Capitalism
2008-09-05 23:58 --------- d-----w C:\Program Files\Axon Data
2008-09-01 03:37 --------- d-----w C:\Program Files\Risk
2008-08-31 02:28 --------- d-----w C:\Program Files\Zombie Cow Studios
2008-08-29 18:26 8,992 ----a-w C:\Documents and Settings\nancy\Device.dat
2008-08-29 00:30 --------- d-----w C:\Program Files\VDMSound
2008-08-28 22:04 --------- d-----w C:\Program Files\DOSBox-0.72
2008-08-26 03:56 --------- d-----w C:\Program Files\Cheat Engine
2008-08-25 10:55 --------- d-----w C:\Program Files\Carbiz demo
2008-08-19 20:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 20:23 --------- d-----w C:\Program Files\Cat Daddy Games
2008-08-19 17:26 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-19 17:20 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-19 17:20 --------- d-----w C:\Documents and Settings\nancy\Application Data\DAEMON Tools
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-03-31 00:17 336 ----a-w C:\Program Files\temp995.bat
2007-09-29 04:04 714,936 ----a-w C:\Documents and Settings\Guest\Application Data\New Compressed (zipped) Folder.zip
1987-09-18 16:31 26,785 ----a-w C:\Documents and Settings\nancy\ELECTION.EXE
1987-09-18 16:12 26,705 ----a-w C:\Documents and Settings\nancy\PE.EXE
1987-09-18 15:46 57,425 ----a-w C:\Documents and Settings\nancy\MAP.EXE
1987-09-18 04:59 51,185 ----a-w C:\Documents and Settings\nancy\CAMPAIGN.EXE
1987-09-18 02:26 26,689 ----a-w C:\Documents and Settings\nancy\DEBATE.EXE
1987-09-18 02:23 39,921 ----a-w C:\Documents and Settings\nancy\NOMINATE.EXE
1987-09-17 22:30 5,921 ----a-w C:\Documents and Settings\nancy\START.EXE
1987-04-07 15:48 70,680 ----a-w C:\Documents and Settings\nancy\BRUN30.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1" [X]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"VolControl"="C:\Program Files\Volume Control\Volume Control.exe" [2007-01-24 102400]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-10-19 1757]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
"Twain"=C:\Program Files\Twain\Twain.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"PLNRNote"="C:\Program Files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRNote.exe"
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"flockbox"=F:\My Lockbox\flockbox.exe /a
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\Nancy_2\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\Globulation_2\\glob2.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\KMIVBR2\\KMI.Cstore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-04-18 17264]
R2 EarthLinkMonitor;EarthLink Monitor Service;C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [ ]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 14:49:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 312 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
.
**************************************************************************
.
Completion time: 2008-10-18 14:57:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 18:57:07
ComboFix2.txt 2008-10-16 00:52:23
ComboFix3.txt 2008-10-16 00:16:34

Pre-Run: 55,853,699,072 bytes free
Post-Run: 55,849,873,408 bytes free

188 --- E O F --- 2008-10-13 03:51:36

 

[cobra1]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:58 PM, on 10/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll (file missing)
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {9F9E33E8-0F27-4A98-9C61-940FDFE31DC2} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7697 bytes

 

[Shaba]

Do you recognize these?

1987-09-18 16:31 26,785 ----a-w C:\Documents and Settings\nancy\ELECTION.EXE
1987-09-18 16:12 26,705 ----a-w C:\Documents and Settings\nancy\PE.EXE
1987-09-18 15:46 57,425 ----a-w C:\Documents and Settings\nancy\MAP.EXE
1987-09-18 04:59 51,185 ----a-w C:\Documents and Settings\nancy\CAMPAIGN.EXE
1987-09-18 02:26 26,689 ----a-w C:\Documents and Settings\nancy\DEBATE.EXE
1987-09-18 02:23 39,921 ----a-w C:\Documents and Settings\nancy\NOMINATE.EXE
1987-09-17 22:30 5,921 ----a-w C:\Documents and Settings\nancy\START.EXE
1987-04-07 15:48 70,680 ----a-w C:\Documents and Settings\nancy\BRUN30.EXE

 

[cobra1]

yeah there are just part of an old game that apparently did not get completely uninstalled

 

[Shaba]

Thanks for information.

Please click this link-->Jotti

Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\drivers\disk.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

 

[cobra1]

none of the scanners found anything

 

[Shaba]

Thanks for information.

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\evcjargp.exe
C:\WINDOWS\system32\wkldxmiv.ini
C:\WINDOWS\system32\mdedmflg.ini
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\bwwctmqe.ini
C:\WINDOWS\system32\kihvhbxk.ini
C:\WINDOWS\system32\kycnkbuh.ini
C:\WINDOWS\system32\wavuosre.ini
C:\WINDOWS\system32\pxnhabof.ini
C:\WINDOWS\system32\jkloietj.ini
C:\WINDOWS\system32\dddJlRCf.ini
C:\Documents and Settings\nancy\3151.bat

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[cobra1]

ComboFix 08-10-19.04 - nancy 2008-10-20 20:33:15.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.64 [GMT -4:00]
Running from: C:\Documents and Settings\nancy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nancy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\nancy\3151.bat
C:\WINDOWS\system32\bwwctmqe.ini
C:\WINDOWS\system32\dddJlRCf.ini
C:\WINDOWS\system32\evcjargp.exe
C:\WINDOWS\system32\jkloietj.ini
C:\WINDOWS\system32\kihvhbxk.ini
C:\WINDOWS\system32\kycnkbuh.ini
C:\WINDOWS\system32\mdedmflg.ini
C:\WINDOWS\system32\pxnhabof.ini
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\wavuosre.ini
C:\WINDOWS\system32\wkldxmiv.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\nancy\3151.bat
C:\WINDOWS\system32\bwwctmqe.ini
C:\WINDOWS\system32\dddJlRCf.ini
C:\WINDOWS\system32\evcjargp.exe
C:\WINDOWS\system32\jkloietj.ini
C:\WINDOWS\system32\kihvhbxk.ini
C:\WINDOWS\system32\kycnkbuh.ini
C:\WINDOWS\system32\mdedmflg.ini
C:\WINDOWS\system32\pxnhabof.ini
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\wavuosre.ini
C:\WINDOWS\system32\wkldxmiv.ini

.
((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.

2008-10-19 22:12 . 2008-10-19 22:18 <DIR> d-------- C:\New Folder
2008-10-17 20:43 . 2008-10-17 20:43 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-10-17 20:43 . 2008-10-19 08:13 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-10-12 01:13 . 2008-10-12 01:13 <DIR> d-------- C:\695d627f403feaa5dbe1
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a------ C:\WINDOWS\system32\drivers\disk.sys
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a--c--- C:\WINDOWS\system32\dllcache\disk.sys
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Program Files\Avira
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-04 16:44 . 2008-10-04 16:44 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-09-27 20:04 . 2008-10-02 19:53 <DIR> d-------- C:\rsit
2008-09-22 18:07 . 2008-09-22 18:07 3,752 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-21 23:21 . 2008-09-21 23:21 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-21 15:50 . 2008-09-21 15:51 <DIR> d-------- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 23:34 --------- d-----w C:\Documents and Settings\nancy\Application Data\OpenOffice.org2
2008-10-20 02:18 --------- d-----w C:\Program Files\DOSBox-0.72
2008-10-15 22:53 --------- d-----w C:\Program Files\GameBiz2
2008-10-15 00:45 21,504 ----a-w C:\Documents and Settings\nancy\39dll.dll
2008-10-15 00:45 157,696 ----a-w C:\Documents and Settings\nancy\supersound.dll
2008-10-14 02:27 --------- d-----w C:\Documents and Settings\nancy\Application Data\Free Download Manager
2008-10-02 00:32 --------- d-----w C:\Program Files\The Tower of Babel
2008-09-25 23:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 00:28 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-09-22 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-21 18:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-20 22:06 --------- d-----w C:\Program Files\Trend Micro
2008-09-20 16:40 --------- d-----w C:\Program Files\Phun
2008-09-12 20:36 --------- d-----w C:\Program Files\Galactic Capitalism
2008-09-05 23:58 --------- d-----w C:\Program Files\Axon Data
2008-09-01 03:37 --------- d-----w C:\Program Files\Risk
2008-08-31 02:28 --------- d-----w C:\Program Files\Zombie Cow Studios
2008-08-29 18:26 8,992 ----a-w C:\Documents and Settings\nancy\Device.dat
2008-08-29 00:30 --------- d-----w C:\Program Files\VDMSound
2008-08-26 03:56 --------- d-----w C:\Program Files\Cheat Engine
2008-08-25 10:55 --------- d-----w C:\Program Files\Carbiz demo
2008-03-31 00:17 336 ----a-w C:\Program Files\temp995.bat
2007-09-29 04:04 714,936 ----a-w C:\Documents and Settings\Guest\Application Data\New Compressed (zipped) Folder.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1" [X]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"VolControl"="C:\Program Files\Volume Control\Volume Control.exe" [2007-01-24 102400]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-10-19 1757]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
"Twain"=C:\Program Files\Twain\Twain.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"PLNRNote"="C:\Program Files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRNote.exe"
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\Nancy_2\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\Globulation_2\\glob2.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\KMIVBR2\\KMI.Cstore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-04-18 17264]
R2 EarthLinkMonitor;EarthLink Monitor Service;C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [ ]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-flockbox - F:\My Lockbox\flockbox.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 20:38:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 20 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-10-20 20:45:17
ComboFix-quarantined-files.txt 2008-10-21 00:45:13
ComboFix2.txt 2008-10-18 18:57:18
ComboFix3.txt 2008-10-16 00:52:23
ComboFix4.txt 2008-10-16 00:16:34

Pre-Run: 55,748,247,552 bytes free
Post-Run: 55,748,382,720 bytes free

150 --- E O F --- 2008-10-13 03:51:36

 

[Shaba]

Please post also a fresh HijackThis log

 

[cobra1]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:28 PM, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll (file missing)
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {9F9E33E8-0F27-4A98-9C61-940FDFE31DC2} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7722 bytes

 

[Shaba]

Follow these instructions and post back a fresh HijackThis log afterwards, please.

 

[cobra1]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:31 PM, on 10/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7032 bytes

 

[Shaba]

Please click this link-->Jotti

Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

 

[cobra1]

File CSRSS.EXE received on 09.22.2008 14:57:42 (CET)
Current status: finished

Result: 4/36 (11.11%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.9.19.2 2008.09.22 -
AntiVir 7.8.1.34 2008.09.22 -
Authentium 5.1.0.4 2008.09.22 W32/VB-Wird-based!Maximus
Avast 4.8.1195.0 2008.09.22 -
AVG 8.0.0.161 2008.09.22 -
BitDefender 7.2 2008.09.22 -
CAT-QuickHeal 9.50 2008.09.20 -
ClamAV 0.93.1 2008.09.22 -
DrWeb 4.44.0.09170 2008.09.22 -
eSafe 7.0.17.0 2008.09.21 -
eTrust-Vet 31.6.6099 2008.09.22 -
Ewido 4.0 2008.09.22 -
F-Prot 4.4.4.56 2008.09.21 W32/VB-Wird-based!Maximus
F-Secure 8.0.14332.0 2008.09.22 -
Fortinet 3.113.0.0 2008.09.22 -
GData 19 2008.09.22 -
Ikarus T3.1.1.34.0 2008.09.22 -
K7AntiVirus 7.10.467 2008.09.22 -
Kaspersky 7.0.0.125 2008.09.22 -
McAfee 5388 2008.09.19 -
Microsoft 1.3903 2008.09.22 -
NOD32v2 3459 2008.09.22 -
Norman 5.80.02 2008.09.19 -
Panda 9.0.0.4 2008.09.22 Suspicious file
PCTools 4.4.2.0 2008.09.21 -
Prevx1 V2 2008.09.22 Worm
Rising 20.63.02.00 2008.09.22 -
Sophos 4.33.0 2008.09.22 -
Sunbelt 3.1.1653.1 2008.09.20 -
Symantec 10 2008.09.22 -
TheHacker 6.3.0.9.090 2008.09.20 -
TrendMicro 8.700.0.1004 2008.09.22 -
VBA32 3.12.8.5 2008.09.22 -
ViRobot 2008.9.22.1387 2008.09.22 -
VirusBuster 4.5.11.0 2008.09.21 -
Webwasher-Gateway 6.6.2 2008.09.22 -
Additional information
File size: 122880 bytes
MD5...: ebcd8872fe683b1c6d2b0a0bfc8ca688
SHA1..: c9e92abf1a5b6b829b8eba607c7c2d45952adf1e
SHA256: da632aa3ef658c388e4eba8660e88321c2e460e0356cd4ed93953c77dcea4db8
SHA512: 2872e239f7c72dd5ebf0b4ad0d84c0f854ee524a4368d8b07be551c8369f5496
5f5da9b73284144dfad674f2139d25320a4b8e8ef50e2334aac0974765937fe0
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40214c
timedatestamp.....: 0x46db5f74 (Mon Sep 03 01:12:20 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1a1b4 0x1b000 5.86 1f397ec6d47133ba709d3891aca3e300
.data 0x1c000 0x1404 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x1e000 0x728 0x1000 1.82 33fa0e270af184eff5c8453c37db951d

( 1 imports )
> MSVBVM60.DLL: __vbaVarSub, __vbaStrI2, -, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLineInputStr, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, -, __vbaFreeObjList, -, -, __vbaVarFix, __vbaStrErrVarCopy, _adj_fprem1, -, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaLenBstrB, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarTstLe, __vbaAryDestruct, -, __vbaExitProc, __vbaI4Abs, -, __vbaObjSet, __vbaOnError, -, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaVarIndexLoad, -, __vbaStrFixstr, __vbaFPFix, __vbaFpR8, __vbaRefVarAry, __vbaVarTstLt, __vbaBoolVarNull, _CIsin, -, __vbaErase, -, -, __vbaVarZero, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, -, __vbaGenerateBoundsError, -, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, -, __vbaObjVar, -, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaVarLateMemSt, __vbaFpUI1, -, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaStrR8, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, -, -, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, -, __vbaPrintFile, __vbaStrToUnicode, -, _adj_fprem, _adj_fdivr_m64, -, __vbaI2Str, __vbaVarDiv, -, -, __vbaFPException, -, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaVarCat, -, __vbaI2Var, __vbaLsetFixstrFree, -, __vbaStopExe, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, __vbaVar2Vec, __vbaInStr, __vbaR8Str, __vbaNew2, -, _adj_fdiv_m32i, -, _adj_fdivr_m32i, -, __vbaStrCopy, -, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, __vbaR8Var, __vbaPowerR8, _adj_fdiv_r, -, -, -, __vbaI4Var, -, __vbaVarAdd, __vbaLateMemCall, __vbaAryLock, __vbaStrToAnsi, __vbaVarDup, -, __vbaFpI2, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaFpI4, -, __vbaRecDestructAnsi, -, _CIatan, __vbaAryCopy, -, __vbaStrMove, -, __vbaStrVarCopy, -, _allmul, _CItan, -, __vbaFPInt, __vbaAryUnlock, _CIexp, __vbaI4ErrVar, -, __vbaFreeStr, __vbaFreeObj

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=4787C730000EBE50E04101AD3AB36C00BA70B422

 

[Shaba]

Do you recognize this file or folder where it is located?

C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE

 

[cobra1]

no i have never heard of it before

 

[Shaba]

Open HijackThis, click do a system scan only and checkmark these:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Close all windows including browser and press fix checked.

Reboot.

Delete this:

C:\WINDOWS\system32\NtfsDriver

Post back a fresh HijackThis log, please.

 

[cobra1]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:57 PM, on 10/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\Explorer.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 6678 bytes

 

[Shaba]

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here