Tech Support Forum - View Single Post - Ahkntfs.exe and various other problems now...

dmperlman · 08-02-2006, 03:42 PM

Alrighty all completed except the smitfraudfix which couldnt run. It gave me an error that said process.exe has been removed. I thought i noticed this exe removed with Dr.WebCure it. here are my logs...

HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 17:41, on 06-08-02
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINNT\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINNT\system32\ixt0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hjkamga] c:\winnt\system32\hjkamga.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdriver...ll/Install.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://12.153.35.149:8080/exent/components/ExentCtl.ocx
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CF051549-EDE1-40F5-B440-BCD646CF2C25} (Ppinstall Control) - http://www.163.com/wwwimages/sms/ppinstall22.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

SUBS

C:\WINNT\system32\ishost.exe .......... present
C:\WINNT\system32\ishost.exe .......... deleted
C:\WINNT\system32\ismon.exe .......... present
C:\WINNT\system32\ismon.exe .......... deleted
C:\WINNT\system32\isnotify.exe .......... present
C:\WINNT\system32\isnotify.exe .......... deleted
C:\WINNT\system32\issearch.exe .......... present
C:\WINNT\system32\issearch.exe .......... deleted
C:\WINNT\system32\ixt0.dll .......... present
C:\WINNT\system32\ixt0.dll .......... deleted
C:\WINNT\ss1205.exe .......... present
C:\WINNT\ss1205.exe .......... deleted
C:\WINNT\zuckdha.exe .......... present
C:\WINNT\zuckdha.exe .......... deleted
C:\WINNT\wgelb.dll .......... present
C:\WINNT\wgelb.dll .......... deleted
C:\WINNT\876057.exe .......... present
C:\WINNT\876057.exe .......... deleted
C:\WINNT\system32\hvzead7v.exe .......... present
C:\WINNT\system32\hvzead7v.exe .......... deleted
C:\WINNT\system32\xd7ehbkw.exe .......... present
C:\WINNT\system32\xd7ehbkw.exe .......... deleted
C:\WINNT\Tagasuarus2.exe .......... present
C:\WINNT\Tagasuarus2.exe .......... deleted
C:\WINNT\system32\v199.dll .......... present
C:\WINNT\system32\v199.dll .......... deleted
C:\WINNT\YazzleBundle-1304.exe .......... present
C:\WINNT\YazzleBundle-1304.exe .......... deleted
C:\WINNT\win3208656-1870776.exe .......... present
C:\WINNT\win3208656-1870776.exe .......... deleted
C:\WINNT\system32\bdpn.exe .......... present
C:\WINNT\system32\bdpn.exe .......... deleted
c:\winnt\system32\hjkamga.exe .......... present
c:\winnt\system32\hjkamga.exe .......... deleted
C:\Documents and Settings\Administrator\Application Data\PPATCH~1 .......... present
C:\Documents and Settings\Administrator\Application Data\PPATCH~1 .......... deleted
C:\Documents and Settings\Administrator\My Documents\WNSXS~1 .......... present
C:\Documents and Settings\Administrator\My Documents\WNSXS~1 .......... deleted
C:\Documents and Settings\Administrator\Application Data\WeatherBug .......... present
C:\Documents and Settings\Administrator\Application Data\WeatherBug .......... deleted
C:\Program Files\Common Files\STEM32~1 .......... present
C:\Program Files\Common Files\STEM32~1 .......... deleted
C:\Documents and Settings\Administrator\Application Data\CROSOF~1.NET .......... present
C:\Documents and Settings\Administrator\Application Data\CROSOF~1.NET .......... deleted
C:\Program Files\TBONAS .......... present
C:\Program Files\TBONAS .......... deleted
C:\WINNT\system32\YMBOLS~1 .......... present
C:\WINNT\system32\YMBOLS~1 .......... deleted
C:\Program Files\Common Files\fuqf .......... present
C:\Program Files\Common Files\fuqf .......... deleted
C:\Program Files\TClock .......... present
C:\Program Files\TClock .......... deleted
C:\Program Files\nokcvtr .......... present
C:\Program Files\nokcvtr .......... deleted
C:\found.000 .......... present
C:\found.000 .......... deleted

PANDASCAN

Incident Status Location

Adware:adware/securityerror Not disinfected c:\winnt\system32\ot.ico
Adware:adware/sqwire Not disinfected c:\winnt\system32\tsuninst.exe
Adware:adware/clickalchemy Not disinfected c:\winnt\inf\alchem.inf
Adware:adware/ipinsight Not disinfected c:\winnt\inf\polall1r.inf
Adware:adware/enhsrch Not disinfected c:\winnt\dsr.exe
Adware:adware/blazefind Not disinfected c:\winnt\key2.txt
Adware:adware/ieplugin Not disinfected c:\winnt\kwv2.dat
Adware:adware/toprebates Not disinfected c:\program files\Ebates_MoeMoneyMaker
Spyware:spyware/shopnav Not disinfected Windows Registry
Spyware:spyware/betterinet Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/outerinfo Not disinfected Windows Registry
Adware:adware/activshopper Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/xplugin Not disinfected Windows Registry
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.advertising.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cassava[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt
Adware:Adware/ActivShopper Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060728-121114-534.dll
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060729-151519-354.dll
Adware:Adware/EnhSrch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060802-135110-313.dll
Adware:Adware/Transponder Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\ceres.dll
Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\disp350.exe
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mmaker2.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\Process.exe
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\randreco.exe
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\remtm2.exe
Adware:Adware/ImiBar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\systb.dll_tobedeleted
Adware:Adware/DigInk Not disinfected C:\WINNT\CCZoop05.exe
Spyware:Spyware/Searchcentrix Not disinfected C:\WINNT\Downloaded Program Files\2020Search.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINNT\inf\mmaker2.inf
Adware:Adware/DigInk Not disinfected C:\WINNT\uni_ehhh.exe

No Rapport.txt since smitfraud didnt run. I also didnt know whether you needed me to run combofix again since you didnt mention it. It looks like a lot of the stuff has been removed but panda found something like 54 infections. Also, something is wrong with my system clock. Its reading in 24 hour mode and on mouse over its has the date all reveresed and stuff. I think this is TClock but im not sure.

Thank you for all your help, let me know if im still infected.

08-02-2006, 03:42 PM	#21 (permalink)
dmperlman Registered User Join Date: Aug 2006 Posts: 14 OS: Windows 2000	Alrighty all completed except the smitfraudfix which couldnt run. It gave me an error that said process.exe has been removed. I thought i noticed this exe removed with Dr.WebCure it. here are my logs... HIJACKTHIS Logfile of HijackThis v1.99.1 Scan saved at 17:41, on 06-08-02 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\system32\RunDLL32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\WINNT\system32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINNT\system32\ixt0.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62" O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [hjkamga] c:\winnt\system32\hjkamga.exe O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.wildtangent.com/webdriver...ll/Install.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://12.153.35.149:8080/exent/components/ExentCtl.ocx O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CF051549-EDE1-40F5-B440-BCD646CF2C25} (Ppinstall Control) - http://www.163.com/wwwimages/sms/ppinstall22.cab O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O20 - AppInit_DLLs: O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing) O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe SUBS C:\WINNT\system32\ishost.exe .......... present C:\WINNT\system32\ishost.exe .......... deleted C:\WINNT\system32\ismon.exe .......... present C:\WINNT\system32\ismon.exe .......... deleted C:\WINNT\system32\isnotify.exe .......... present C:\WINNT\system32\isnotify.exe .......... deleted C:\WINNT\system32\issearch.exe .......... present C:\WINNT\system32\issearch.exe .......... deleted C:\WINNT\system32\ixt0.dll .......... present C:\WINNT\system32\ixt0.dll .......... deleted C:\WINNT\ss1205.exe .......... present C:\WINNT\ss1205.exe .......... deleted C:\WINNT\zuckdha.exe .......... present C:\WINNT\zuckdha.exe .......... deleted C:\WINNT\wgelb.dll .......... present C:\WINNT\wgelb.dll .......... deleted C:\WINNT\876057.exe .......... present C:\WINNT\876057.exe .......... deleted C:\WINNT\system32\hvzead7v.exe .......... present C:\WINNT\system32\hvzead7v.exe .......... deleted C:\WINNT\system32\xd7ehbkw.exe .......... present C:\WINNT\system32\xd7ehbkw.exe .......... deleted C:\WINNT\Tagasuarus2.exe .......... present C:\WINNT\Tagasuarus2.exe .......... deleted C:\WINNT\system32\v199.dll .......... present C:\WINNT\system32\v199.dll .......... deleted C:\WINNT\YazzleBundle-1304.exe .......... present C:\WINNT\YazzleBundle-1304.exe .......... deleted C:\WINNT\win3208656-1870776.exe .......... present C:\WINNT\win3208656-1870776.exe .......... deleted C:\WINNT\system32\bdpn.exe .......... present C:\WINNT\system32\bdpn.exe .......... deleted c:\winnt\system32\hjkamga.exe .......... present c:\winnt\system32\hjkamga.exe .......... deleted C:\Documents and Settings\Administrator\Application Data\PPATCH~1 .......... present C:\Documents and Settings\Administrator\Application Data\PPATCH~1 .......... deleted C:\Documents and Settings\Administrator\My Documents\WNSXS~1 .......... present C:\Documents and Settings\Administrator\My Documents\WNSXS~1 .......... deleted C:\Documents and Settings\Administrator\Application Data\WeatherBug .......... present C:\Documents and Settings\Administrator\Application Data\WeatherBug .......... deleted C:\Program Files\Common Files\STEM32~1 .......... present C:\Program Files\Common Files\STEM32~1 .......... deleted C:\Documents and Settings\Administrator\Application Data\CROSOF~1.NET .......... present C:\Documents and Settings\Administrator\Application Data\CROSOF~1.NET .......... deleted C:\Program Files\TBONAS .......... present C:\Program Files\TBONAS .......... deleted C:\WINNT\system32\YMBOLS~1 .......... present C:\WINNT\system32\YMBOLS~1 .......... deleted C:\Program Files\Common Files\fuqf .......... present C:\Program Files\Common Files\fuqf .......... deleted C:\Program Files\TClock .......... present C:\Program Files\TClock .......... deleted C:\Program Files\nokcvtr .......... present C:\Program Files\nokcvtr .......... deleted C:\found.000 .......... present C:\found.000 .......... deleted PANDASCAN Incident Status Location Adware:adware/securityerror Not disinfected c:\winnt\system32\ot.ico Adware:adware/sqwire Not disinfected c:\winnt\system32\tsuninst.exe Adware:adware/clickalchemy Not disinfected c:\winnt\inf\alchem.inf Adware:adware/ipinsight Not disinfected c:\winnt\inf\polall1r.inf Adware:adware/enhsrch Not disinfected c:\winnt\dsr.exe Adware:adware/blazefind Not disinfected c:\winnt\key2.txt Adware:adware/ieplugin Not disinfected c:\winnt\kwv2.dat Adware:adware/toprebates Not disinfected c:\program files\Ebates_MoeMoneyMaker Spyware:spyware/shopnav Not disinfected Windows Registry Spyware:spyware/betterinet Not disinfected Windows Registry Spyware:spyware/searchcentrix Not disinfected Windows Registry Adware:adware/ncase Not disinfected Windows Registry Adware:adware/outerinfo Not disinfected Windows Registry Adware:adware/activshopper Not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Adware:adware/transponder Not disinfected Windows Registry Adware:adware/xplugin Not disinfected Windows Registry Adware:adware/cws Not disinfected Windows Registry Adware:adware/mirar Not disinfected Windows Registry Adware:adware/topmoxie Not disinfected Windows Registry Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[.advertising.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yv2e5vtx.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@888[1].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@888[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cassava[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[2].txt Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt Adware:Adware/ActivShopper Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060728-121114-534.dll Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060729-151519-354.dll Adware:Adware/EnhSrch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060802-135110-313.dll Adware:Adware/Transponder Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\ceres.dll Adware:Adware/TopRebates Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\disp350.exe Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mmaker2.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\Process.exe Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\randreco.exe Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\remtm2.exe Adware:Adware/ImiBar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\systb.dll_tobedeleted Adware:Adware/DigInk Not disinfected C:\WINNT\CCZoop05.exe Spyware:Spyware/Searchcentrix Not disinfected C:\WINNT\Downloaded Program Files\2020Search.inf Spyware:Spyware/BetterInet Not disinfected C:\WINNT\inf\mmaker2.inf Adware:Adware/DigInk Not disinfected C:\WINNT\uni_ehhh.exe No Rapport.txt since smitfraud didnt run. I also didnt know whether you needed me to run combofix again since you didnt mention it. It looks like a lot of the stuff has been removed but panda found something like 54 infections. Also, something is wrong with my system clock. Its reading in 24 hour mode and on mouse over its has the date all reveresed and stuff. I think this is TClock but im not sure. Thank you for all your help, let me know if im still infected.