System32, Virtumonde.dll, Smitfraud-C.CoreService Problems

rosebud · Mar 29, 2008

I ran the Kaspersky Anti-Virus scan, but the results are too long to paste here. Please let me know what to do next.

Shaba · Mar 31, 2008

Hi rosebud

You can first try to edit out all entries with object locked skipped and split it into multiple replies.

If that doesn't help, let me know.

Also do this, please:

Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

rosebud · Apr 2, 2008

I downloaded th HJTInstall.exe and saved it to my desktop, but I think my virsu protection is blocking it because nothing came up in the notepad.

Shaba · Apr 2, 2008

Hi

Then rename HijackThis.exe to rosebud.exe and let me know if it works now

rosebud · Apr 5, 2008

Kaspersky Scan

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 29, 2008 4:03:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 672536
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 48656
Number of viruses found: 62
Number of infected objects: 563
Number of suspicious objects: 7
Duration of the scan process: 00:39:30

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP23\A0000229.exe Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP23\A0000230.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP23\A0000230.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP23\A0000277.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP23\A0000303.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP23\A0000308.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP23\A0000311.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP23\A0000311.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP24\A0000324.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP24\A0000328.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP24\A0000328.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP25\A0001347.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP25\A0001374.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP25\A0001390.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP26\A0001425.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP42\A0001656.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP44\A0001703.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP44\A0001704.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP44\A0001704.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP46\A0003702.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP46\A0003703.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP46\A0003703.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP56\A0005832.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP56\A0005833.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP56\A0005833.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP57\A0005835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP62\A0006915.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP62\A0006915.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP62\A0006916.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP63\A0006960.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP63\A0006960.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP63\A0006961.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP69\A0009039.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP71\A0009107.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0010107.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011156.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011157.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011165.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011167.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011168.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011169.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011171.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011175.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011179.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011180.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011181.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011182.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011183.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011184.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011186.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011187.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011188.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011189.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011190.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011191.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011192.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011193.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011194.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011195.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011196.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011197.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011198.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011200.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011201.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011203.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011205.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011206.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011207.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011209.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011210.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011211.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011212.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011214.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011215.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011216.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011216.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP72\A0011226.exe Infected: Trojan-Downloader.Win32.Agent.jig skipped

rosebud · Apr 5, 2008

Kaspersky continued

C:\System Volume Information\_restore{58A6191F-EC58-4183-B02B-B841216830B3}\RP75\change.log Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\tmrsr.exe Infected: not-virus:Hoax.Win32.Renos.sg skipped
C:\WINDOWS\system32\Ѕymantec\wіnspool.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Ѕymantec\chkntfs.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A9E91720-D3FB-419B-B4EF-711EEC7BB01F}.bin Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

Shaba · Apr 5, 2008

Hi

Does HijackThis work now?

rosebud · Apr 5, 2008

Hijack logfile

I had to run it in safe mode, here it is finally. I am sorry I am not very good with the technical side of computers.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:34 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\tmrsr.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: run=""
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\tmrsr.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0389F60B-1ECA-4F8D-A76E-390C869AD458} - C:\WINDOWS\System32\ddayv.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: H - {16FCA318-4922-4af2-B2B3-D579ADBA1210} - susioe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {589A454E-503F-4962-B8B5-F3DA2B968E64} - C:\Program Files\Windows NT\nipysabo4444.dll (file missing)
O2 - BHO: (no name) - {5DCE9343-FF29-45DD-B6DA-0242475FA975} - (no file)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: Google Module - {A2487E9B-AAE5-4d21-ADDE-1F342354974A} - minstar1.dll (file missing)
O2 - BHO: {889b4cd4-84f5-26a8-4264-15d54b04db9b} - {b9bd40b4-5d51-4624-8a62-5f484dc4b988} - C:\WINDOWS\system32\nsmyjbrk.dll (file missing)
O2 - BHO: (no name) - {D4576C73-52BD-4401-B966-5A128C4433D4} - C:\WINDOWS\system32\xxyayvt.dll (file missing)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\awtrssq.dll (file missing)
O2 - BHO: (no name) - {EC53EEFE-7DF0-464A-8E4A-DA9BFDE34AB1} - C:\WINDOWS\system32\sstqq.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [78b4cb87] rundll32.exe "C:\WINDOWS\system32\syajkfgo.dll",b
O4 - HKLM\..\Run: [BM7b87f81b] Rundll32.exe "C:\WINDOWS\system32\xcdwxukb.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA7355] command /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4950] cmd /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2300] command /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1554] cmd /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4030] command /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8334] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9314] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4573] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Zgfoovqa] "C:\Program Files\Common Files\s?stem\?poolsv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alww] "C:\WINDOWS\YMANTE~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [Zlajwnzi] "C:\Program Files\Common Files\W?nSxS\??erinit.exe"
O4 - HKCU\..\Run: [Rprfwkv] "C:\Documents and Settings\CherylVeile\My Documents\??crosoft\?ervices.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Vqrbja] C:\WINDOWS\system32\?ymantec\w?nspool.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2475] command /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4453] cmd /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7468] command /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4674] cmd /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5456] command /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKCU\..\RunOnce: [SpybotDeletingD927] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9222] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2707] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnecta\wmtray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiSpyware2007FreeInstall.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5176/mcfscan.cab
O20 - Winlogon Notify: awtrssq - awtrssq.dll (file missing)
O20 - Winlogon Notify: iiffcby - iiffcby.dll (file missing)
O20 - Winlogon Notify: xxyayvt - xxyayvt.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {83AEC75F-2460-45D4-A860-DCE275F57D60} - C:\WINDOWS\system32\browseuidw.dll
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Security Service (GODR) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - file:///C:\DOCUME~1\cveile\LOCALS~1\Temp\11\msohtml1\01\clip_image002.gif

--
End of file - 11356 bytes

Shaba · Apr 6, 2008

Hi

Rename HijackThis.exe to rosebud.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename rosebud.exe to Scanner.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here taken in normal mode, if possible, please.

rosebud · Apr 9, 2008

HijackThis log

I tried everything you said and it wouldn't work and then today I tried to run the Hijack This again before the "rundll" errors came up and I was finally able to get the log. I hope this is what you need to help me. Thank you for your patience.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:17 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tmrsr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\Program Files\Trend Micro\rosebud\HijackThis.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\YMANTE~1\chkntfs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\?ymantec\w?nspool.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\HEWLET~1\hpis\common\MOTIVE~1.EXE

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - file:///C:\DOCUME~1\cveile\LOCALS~1\Temp\11\msohtml1\01\clip_image002.gif

--
End of file - 1884 bytes

Shaba · Apr 9, 2008

Hi

HijackThis is still unrenamed:

C:\Program Files\Trend Micro\rosebud\HijackThis.exe

You are supposed to rename this:

C:\Program Files\Trend Micro\rosebud\HijackThis.exe

But now you renamed folder instead:

C:\Program Files\Trend Micro\rosebud\HijackThis.exe

Please do it again.

If you have problems, then please ask

rosebud · Apr 11, 2008

Renamed HijackThis and New log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:37 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tmrsr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\YMANTE~1\chkntfs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\?ymantec\w?nspool.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\rosebud\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: run=""
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\tmrsr.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0389F60B-1ECA-4F8D-A76E-390C869AD458} - C:\WINDOWS\System32\ddayv.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: H - {16FCA318-4922-4af2-B2B3-D579ADBA1210} - susioe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {589A454E-503F-4962-B8B5-F3DA2B968E64} - C:\Program Files\Windows NT\nipysabo4444.dll (file missing)
O2 - BHO: (no name) - {5DCE9343-FF29-45DD-B6DA-0242475FA975} - (no file)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll
O2 - BHO: Google Module - {A2487E9B-AAE5-4d21-ADDE-1F342354974A} - minstar1.dll (file missing)
O2 - BHO: {889b4cd4-84f5-26a8-4264-15d54b04db9b} - {b9bd40b4-5d51-4624-8a62-5f484dc4b988} - C:\WINDOWS\system32\nsmyjbrk.dll (file missing)
O2 - BHO: (no name) - {D4576C73-52BD-4401-B966-5A128C4433D4} - C:\WINDOWS\system32\xxyayvt.dll (file missing)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\awtrssq.dll (file missing)
O2 - BHO: (no name) - {EC53EEFE-7DF0-464A-8E4A-DA9BFDE34AB1} - C:\WINDOWS\system32\sstqq.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [78b4cb87] rundll32.exe "C:\WINDOWS\system32\syajkfgo.dll",b
O4 - HKLM\..\Run: [BM7b87f81b] Rundll32.exe "C:\WINDOWS\system32\xcdwxukb.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA7355] command /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4950] cmd /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2300] command /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1554] cmd /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4030] command /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8334] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9314] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4573] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Zgfoovqa] "C:\Program Files\Common Files\s?stem\?poolsv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alww] "C:\WINDOWS\YMANTE~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [Zlajwnzi] "C:\Program Files\Common Files\W?nSxS\??erinit.exe"
O4 - HKCU\..\Run: [Rprfwkv] "C:\Documents and Settings\CherylVeile\My Documents\??crosoft\?ervices.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Vqrbja] C:\WINDOWS\system32\?ymantec\w?nspool.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2475] command /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4453] cmd /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7468] command /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4674] cmd /c del "C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5456] command /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKCU\..\RunOnce: [SpybotDeletingD927] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9222] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2707] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnecta\wmtray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiSpyware2007FreeInstall.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5176/mcfscan.cab
O20 - Winlogon Notify: awtrssq - awtrssq.dll (file missing)
O20 - Winlogon Notify: iiffcby - iiffcby.dll (file missing)
O20 - Winlogon Notify: xxyayvt - xxyayvt.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {83AEC75F-2460-45D4-A860-DCE275F57D60} - C:\WINDOWS\system32\browseuidw.dll
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Security Service (GODR) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - file:///C:\DOCUME~1\cveile\LOCALS~1\Temp\11\msohtml1\01\clip_image002.gif

--
End of file - 12318 bytes

Shaba · Apr 12, 2008

Hi and sorry for delay

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

rosebud · Apr 13, 2008

Combofix report

ComboFix 08-04-13.1 - CherylVeile 2008-04-13 15:51:50.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.98 [GMT -5:00]
Running from: C:\Documents and Settings\CherylVeile\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\CherylVeile\Application Data\ASEMBL~1
C:\Documents and Settings\CherylVeile\Application Data\macromedia\Flash Player\#SharedObjects\4EEQPAAL\www.broadcaster.com
C:\Documents and Settings\CherylVeile\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\CherylVeile\Application Data\RACLE~1
C:\Documents and Settings\CherylVeile\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\CherylVeile\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\CherylVeile\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\CherylVeile\Start Menu\Programs\Outerinfo
C:\Program Files\Common Files\appatc~1
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~2
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ystem~1
C:\Program Files\fnts~1
C:\Program Files\ISM
C:\Program Files\ISM\anticaupd.exe
C:\Program Files\ISM\BndDrive.dll
C:\Program Files\ISM\BndDrive3.dll
C:\Program Files\ISM\BndDrive7.dll
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule2.exe~
C:\Program Files\ISM\kazooupd.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule9.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\stem32~1
C:\Program Files\Temporary
C:\Program Files\xInsIDE
C:\Program Files\ystem~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\Temp\isgTi19
C:\temp\tn3
C:\WINDOWS\aconti.exe
C:\WINDOWS\BM7b87f81b.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\curity~1
C:\WINDOWS\hotporn.exe
C:\WINDOWS\icroso~1
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\ssembl~1
C:\WINDOWS\sstem3~1
C:\WINDOWS\sstem3~1\?ttrib.exe
C:\WINDOWS\stem~1
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\eianchad.ini
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\jofstvyt.sbin
C:\WINDOWS\system32\kcysdcva.ini
C:\WINDOWS\system32\ktvkuavx.ini
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\murpfvvj.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\prrbpgbr.sys
C:\WINDOWS\system32\qclaghyb.ini
C:\WINDOWS\system32\qnbmawwn.ini
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\quimtovd.ini
C:\WINDOWS\system32\rtcoyknd.ini
C:\WINDOWS\system32\rwuwin32.drv
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\tddrtvmo.ini
C:\WINDOWS\system32\tmrsr.exe
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\uklvnefc.ini
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\yukhxypr.ini
C:\WINDOWS\ymante~1
C:\WINDOWS\ymante~1\?ymantec\
C:\WINDOWS\ymante~1\chkntfs.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCEVTSVC
-------\Legacy_CMDSERVICE
-------\Legacy_CORE
-------\Legacy_DOMAINSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NNSERV
-------\Legacy_RUNTIME
-------\Legacy_RUNTIME2
-------\Legacy_SMTPDRV
-------\Legacy_SYSLIBRARY
-------\Service_CcEvtSvc
-------\Service_ctl_w32
-------\Service_NNServ
-------\Service_smtpdrv

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-08 19:24 . 2008-04-08 19:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 14:04 . 2008-03-29 14:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-29 14:04 . 2008-03-29 14:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-29 09:13 . 2008-03-29 09:13 35,262 --a------ C:\WINDOWS\Administrator.acl
2008-03-21 14:39 . 2008-04-04 19:04 1,509 --a------ C:\WINDOWS\wininit.ini
2008-03-21 13:33 . 2008-03-21 13:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-21 13:33 . 2008-03-21 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 12:53 . 2008-03-21 12:58 1,432,944 ---hs---- C:\WINDOWS\system32\ogfkjays.ini
2008-03-18 18:18 . 2008-03-21 12:52 1,496,343 ---hs---- C:\WINDOWS\system32\bgktlgjv.ini
2008-03-16 12:44 . 2008-03-18 18:16 1,878,842 ---hs---- C:\WINDOWS\system32\vbscpyov.ini
2008-03-14 19:44 . 2008-03-14 19:44 <DIR> d--hs---- C:\FOUND.014

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 14:00 1,734,383 --sha-w C:\Documents and Settings\All Users\Application Data\log.dat
2008-02-29 12:18 61 ----a-w C:\system.bat
2008-02-29 12:18 44,032 ----a-w C:\winxkvf.exe
2008-02-29 12:18 33 --sha-w C:\Documents and Settings\All Users\Application Data\_log.dat
2001-07-12 13:09 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2001-06-05 13:11 32,768 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
2001-05-14 15:19 51,984 ----a-w C:\WINDOWS\inf\i386\Wiafbdrv.dll
2007-12-28 16:51 498,543 --sha-w C:\WINDOWS\system32\vyadd.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0389F60B-1ECA-4F8D-A76E-390C869AD458}]
C:\WINDOWS\System32\ddayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16FCA318-4922-4af2-B2B3-D579ADBA1210}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{589A454E-503F-4962-B8B5-F3DA2B968E64}]
C:\Program Files\Windows NT\nipysabo4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2487E9B-AAE5-4d21-ADDE-1F342354974A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9bd40b4-5d51-4624-8a62-5f484dc4b988}]
C:\WINDOWS\system32\nsmyjbrk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC53EEFE-7DF0-464A-8E4A-DA9BFDE34AB1}]
C:\WINDOWS\system32\sstqq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2000-09-06 12:14 40960]
"Zgfoovqa"="C:\Program Files\Common Files\s?stem\?poolsv.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
"Alww"="C:\WINDOWS\YMANTE~1\chkntfs.exe" [ ]
"Zlajwnzi"="C:\Program Files\Common Files\W?nSxS\??erinit.exe" [ ]
"Rprfwkv"="C:\Documents and Settings\CherylVeile\My Documents\??crosoft\?ervices.exe" [ ]
"Vqrbja"="C:\WINDOWS\system32\?ymantec\w?nspool.exe" [ ]
"Vkcxvd"="C:\WINDOWS\s?stem32\?ttrib.exe" [2001-08-23 11:00 11264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 02:50 155648]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 09:42 69632]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-06-12 10:16 26112]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 00:52 380928]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-10-31 12:02 380928]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2001-07-12 07:08 86016]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe" [2003-05-21 00:21 90112]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 15:34 57344 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-08-19 21:18 88363 C:\WINDOWS\AGRSMMSG.exe]
"78b4cb87"="C:\WINDOWS\system32\syajkfgo.dll" [ ]
"BM7b87f81b"="C:\WINDOWS\system32\xcdwxukb.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-04 05:56 99840 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\CherylVeile\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-16 23:00:00 51984]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 23:00:00 111376]
Check for OneTouch Updates.lnk - C:\Program Files\Visioneer OneTouch\WiseUpdt.exe [2005-05-14 17:23:29 166518]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Wal-Mart Connect Tray Icon.lnk - C:\Program Files\wmconnecta\wmtray.exe [2004-06-12 11:15:43 32839]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-02-14 22:36:14 217088]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-11-08 19:32:16 114688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\DOCUME~1\cveile\LOCALS~1\Temp\11\msohtml1\01\clip_image002.gif
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{83AEC75F-2460-45D4-A860-DCE275F57D60}"= %SystemRoot%\system32\browseuidw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrssq]
awtrssq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcby]
iiffcby.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyayvt]
xxyayvt.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YPAGER.EXE"=
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Olympus\\DSSPlayerPro\\TpstWnd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe [2001-08-09 14:46]
S0 Lrv84;Lrv84;C:\WINDOWS\system32\Drivers\Lrv84.sys []
S2 GODR;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 FXDRV;FXDRV;D:\Fxdrv.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 20:55:38 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-04-13 20:55:34 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 15:56:20
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\OLYMPUS\DEVICEDETECTOR\DM1SERVICE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn\ytbb.exe
.
**************************************************************************
.
Completion time: 2008-04-13 15:57:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 20:57:38
Pre-Run: 111,421,063,168 bytes free
Post-Run: 111,390,195,712 bytes free
.
2008-04-13 20:32:22 --- E O F ---

rosebud · Apr 13, 2008

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:27 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\rosebud\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0389F60B-1ECA-4F8D-A76E-390C869AD458} - C:\WINDOWS\System32\ddayv.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: H - {16FCA318-4922-4af2-B2B3-D579ADBA1210} - susioe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {589A454E-503F-4962-B8B5-F3DA2B968E64} - C:\Program Files\Windows NT\nipysabo4444.dll (file missing)
O2 - BHO: Google Module - {A2487E9B-AAE5-4d21-ADDE-1F342354974A} - minstar1.dll (file missing)
O2 - BHO: {889b4cd4-84f5-26a8-4264-15d54b04db9b} - {b9bd40b4-5d51-4624-8a62-5f484dc4b988} - C:\WINDOWS\system32\nsmyjbrk.dll (file missing)
O2 - BHO: (no name) - {EC53EEFE-7DF0-464A-8E4A-DA9BFDE34AB1} - C:\WINDOWS\system32\sstqq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [78b4cb87] rundll32.exe "C:\WINDOWS\system32\syajkfgo.dll",b
O4 - HKLM\..\Run: [BM7b87f81b] Rundll32.exe "C:\WINDOWS\system32\xcdwxukb.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Zgfoovqa] "C:\Program Files\Common Files\s?stem\?poolsv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alww] "C:\WINDOWS\YMANTE~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [Zlajwnzi] "C:\Program Files\Common Files\W?nSxS\??erinit.exe"
O4 - HKCU\..\Run: [Rprfwkv] "C:\Documents and Settings\CherylVeile\My Documents\??crosoft\?ervices.exe"
O4 - HKCU\..\Run: [Vqrbja] C:\WINDOWS\system32\?ymantec\w?nspool.exe
O4 - HKCU\..\Run: [Vkcxvd] C:\WINDOWS\s?stem32\?ttrib.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnecta\wmtray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiSpyware2007FreeInstall.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5176/mcfscan.cab
O20 - Winlogon Notify: awtrssq - awtrssq.dll (file missing)
O20 - Winlogon Notify: iiffcby - iiffcby.dll (file missing)
O20 - Winlogon Notify: xxyayvt - xxyayvt.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {83AEC75F-2460-45D4-A860-DCE275F57D60} - C:\WINDOWS\system32\browseuidw.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Security Service (GODR) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - file:///C:\DOCUME~1\cveile\LOCALS~1\Temp\11\msohtml1\01\clip_image002.gif

--
End of file - 9325 bytes

Shaba · Apr 14, 2008

Hi

Much better

Let's clean next some leftovers:

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\system32\ogfkjays.ini
C:\WINDOWS\system32\bgktlgjv.ini
C:\WINDOWS\system32\vbscpyov.ini
C:\WINDOWS\system32\vyadd.ini2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0389F60B-1ECA-4F8D-A76E-390C869AD458}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16FCA318-4922-4af2-B2B3-D579ADBA1210}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{589A454E-503F-4962-B8B5-F3DA2B968E64}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2487E9B-AAE5-4d21-ADDE-1F342354974A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9bd40b4-5d51-4624-8a62-5f484dc4b988}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC53EEFE-7DF0-464A-8E4A-DA9BFDE34AB1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zgfoovqa"=-
"Alww"=-
"Zlajwnzi"=-
"Rprfwkv"=-
"Vqrbja"=-
"Vkcxvd"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"78b4cb87"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrssq]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcby]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyayvt]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

rosebud · Apr 15, 2008

ComboFix

ComboFix 08-04-13.1 - CherylVeile 2008-04-14 20:07:05.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.90 [GMT -5:00]
Running from: C:\Documents and Settings\CherylVeile\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CherylVeile\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\bgktlgjv.ini
C:\WINDOWS\system32\ogfkjays.ini
C:\WINDOWS\system32\vbscpyov.ini
C:\WINDOWS\system32\vyadd.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\CherylVeile\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\bgktlgjv.ini
C:\WINDOWS\system32\ogfkjays.ini
C:\WINDOWS\system32\vbscpyov.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\wnscpsv32.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 19:30 . 2008-04-14 19:30 42 --a------ C:\Documents and Settings\All Users\Application Data\settings.dat
2008-04-14 19:30 . 2008-04-14 19:30 16 --a------ C:\Documents and Settings\All Users\Application Data\commands.dat
2008-04-08 19:24 . 2008-04-08 19:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 14:04 . 2008-03-29 14:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-29 14:04 . 2008-03-29 14:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-29 09:13 . 2008-03-29 09:13 35,262 --a------ C:\WINDOWS\Administrator.acl
2008-03-21 14:39 . 2008-04-04 19:04 1,509 --a------ C:\WINDOWS\wininit.ini
2008-03-21 13:33 . 2008-03-21 13:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-21 13:33 . 2008-03-21 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 21:01 1,780,112 --sha-w C:\Documents and Settings\All Users\Application Data\_log.dat
2008-02-29 12:18 61 ----a-w C:\system.bat
2008-02-29 12:18 44,032 ----a-w C:\winxkvf.exe
2001-07-12 13:09 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2001-06-05 13:11 32,768 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
2001-05-14 15:19 51,984 ----a-w C:\WINDOWS\inf\i386\Wiafbdrv.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-13_15.57.20.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 20:55:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-15 00:29:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2000-09-06 12:14 40960]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 02:50 155648]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 09:42 69632]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-06-12 10:16 26112]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 00:52 380928]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-10-31 12:02 380928]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2001-07-12 07:08 86016]
"vptray"="C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe" [2003-05-21 00:21 90112]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 15:34 57344 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-08-19 21:18 88363 C:\WINDOWS\AGRSMMSG.exe]
"BM7b87f81b"="C:\WINDOWS\system32\xcdwxukb.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-04 05:56 99840 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\CherylVeile\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-16 23:00:00 51984]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 23:00:00 111376]
Check for OneTouch Updates.lnk - C:\Program Files\Visioneer OneTouch\WiseUpdt.exe [2005-05-14 17:23:29 166518]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Wal-Mart Connect Tray Icon.lnk - C:\Program Files\wmconnecta\wmtray.exe [2004-06-12 11:15:43 32839]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-02-14 22:36:14 217088]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-11-08 19:32:16 114688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\DOCUME~1\cveile\LOCALS~1\Temp\11\msohtml1\01\clip_image002.gif
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{83AEC75F-2460-45D4-A860-DCE275F57D60}"= %SystemRoot%\system32\browseuidw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyayvt]
xxyayvt.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YPAGER.EXE"=
"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Olympus\\DSSPlayerPro\\TpstWnd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe [2001-08-09 14:46]
S0 Lrv84;Lrv84;C:\WINDOWS\system32\Drivers\Lrv84.sys []
S2 GODR;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 FXDRV;FXDRV;D:\Fxdrv.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 00:29:28 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-04-15 00:29:24 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 20:08:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-14 20:09:10
ComboFix-quarantined-files.txt 2008-04-15 01:09:06
ComboFix2.txt 2008-04-13 20:57:54
Pre-Run: 111,626,027,008 bytes free
Post-Run: 111,607,808,000 bytes free
.
2008-04-13 21:04:59 --- E O F ---

rosebud · Apr 15, 2008

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:22 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\rosebud\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BM7b87f81b] Rundll32.exe "C:\WINDOWS\system32\xcdwxukb.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnecta\wmtray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiSpyware2007FreeInstall.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5176/mcfscan.cab
O20 - Winlogon Notify: xxyayvt - xxyayvt.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {83AEC75F-2460-45D4-A860-DCE275F57D60} - C:\WINDOWS\system32\browseuidw.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Security Service (GODR) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - file:///C:\DOCUME~1\cveile\LOCALS~1\Temp\11\msohtml1\01\clip_image002.gif

--
End of file - 7857 bytes

Shaba · Apr 15, 2008

Hi

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [BM7b87f81b] Rundll32.exe "C:\WINDOWS\system32\xcdwxukb.dll",s
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: xxyayvt - xxyayvt.dll (file missing)
O23 - Service: Security Service (GODR) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)

Close all windows including browser and press fix checked.

Reboot.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

rosebud · Apr 16, 2008

HiJackThis log

I couldn't run the Kaspersky scan. I do not see the icon on my desktop anymore. I didn't want to download it again unless you tell me to.

Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:18 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\rosebud\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnecta\wmtray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5176/mcfscan.cab
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {83AEC75F-2460-45D4-A860-DCE275F57D60} - C:\WINDOWS\system32\browseuidw.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Security Service (GODR) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - file:///C:\DOCUME~1\cveile\LOCALS~1\Temp\11\msohtml1\01\clip_image002.gif

--
End of file - 7374 bytes

System32, Virtumonde.dll, Smitfraud-C.CoreService Problems

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member