Tech Support Forum - View Single Post

wyrdrune · 09-25-2006, 11:07 PM

Thanks for the quick help. Here are the logs, in order.

COMBOFIX - TXT-1

Puraj - 06-09-25 17:38:36.81 Service Pack 1
ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))

2006-09-25 08:06 17,787 --a------ C:\WINDOWS\SYSTEM32\KBDons.dll
2006-09-06 00:16 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2006-09-06 00:08 928 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-09-06 00:07 420,000 -r-hs---- C:\WINDOWS\jivzheh.exe
2006-09-05 15:14 68,608 --a------ C:\WINDOWS\SYSTEM32\olecli32.dll
2006-09-05 15:14 275,456 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll
2006-09-05 15:14 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll
2006-08-25 13:26 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll
2006-08-25 13:26 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll
2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106.dll
2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101c.dll
2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101b.dll
2006-08-25 13:26 5,632 --a------ C:\WINDOWS\SYSTEM32\kbd103.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-09-25 14:49 -------- d-------- C:\Program Files\Common Files
2006-09-25 07:35 -------- d-------- C:\Program Files\QuickTime
2006-09-25 07:35 -------- d-------- C:\Program Files\iTunes
2006-09-25 07:35 -------- d-------- C:\Program Files\Apoint
2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-12 15:19 -------- d-------- C:\Program Files\PokerStars
2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft
2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft
2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly
2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free
2006-09-06 00:11 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-09-06 00:06 -------- d-------- C:\Program Files\Windows NT
2006-09-06 00:06 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe
2006-08-14 10:10 -------- d-------- C:\Program Files\Google
2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM
2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aida"="\"C:\\WINDOWS\\SKS~1\\chkdsk.exe\" -vt tzt"
"Lzuxfpzj"="C:\\WINDOWS\\SYSTEM32\\?racle\\rundll32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"TCASUTIEXE"="TCAUDIAG -off"
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"{C8-86-66-67-ZN}"="c:\\windows\\system32\\okdsregs.exe GEN001"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\kyfefyv.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Windows NT\\hocycosyp.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP748]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748"
"backup"="C:\\WINDOWS\\pss\\TFTP748Common Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748"
"item"="TFTP748"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="RAVMOND"
"hkey"="HKCU"
"command"="RAVMOND.exe"
"inimapping"="1"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 09/25/2006 17:39:40.52
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

COMBOFIX - TXT-2

Puraj - 06-09-25 21:41:03.92 Service Pack 1
ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))

2006-09-25 08:06 17,787 --a------ C:\WINDOWS\SYSTEM32\KBDons.dll
2006-09-06 00:16 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2006-09-06 00:08 928 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-09-06 00:07 420,000 -r-hs---- C:\WINDOWS\jivzheh.exe
2006-09-05 15:14 68,608 --a------ C:\WINDOWS\SYSTEM32\olecli32.dll
2006-09-05 15:14 275,456 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll
2006-09-05 15:14 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll
2006-08-25 13:26 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll
2006-08-25 13:26 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll
2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106.dll
2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101c.dll
2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101b.dll
2006-08-25 13:26 5,632 --a------ C:\WINDOWS\SYSTEM32\kbd103.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-25 17:48 -------- d-------- C:\Program Files\Dell
2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-09-25 14:49 -------- d-------- C:\Program Files\Common Files
2006-09-25 07:35 -------- d-------- C:\Program Files\QuickTime
2006-09-25 07:35 -------- d-------- C:\Program Files\iTunes
2006-09-25 07:35 -------- d-------- C:\Program Files\Apoint
2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-12 15:19 -------- d-------- C:\Program Files\PokerStars
2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft
2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft
2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly
2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free
2006-09-06 00:11 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-09-06 00:06 -------- d-------- C:\Program Files\Windows NT
2006-09-06 00:06 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe
2006-08-14 10:10 -------- d-------- C:\Program Files\Google
2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM
2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aida"="\"C:\\WINDOWS\\SKS~1\\chkdsk.exe\" -vt tzt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"TCASUTIEXE"="TCAUDIAG -off"
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\kyfefyv.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Windows NT\\hocycosyp.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP748]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748"
"backup"="C:\\WINDOWS\\pss\\TFTP748Common Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748"
"item"="TFTP748"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="RAVMOND"
"hkey"="HKCU"
"command"="RAVMOND.exe"
"inimapping"="1"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 09/25/2006 21:42:05.24
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

PANDA SCAN

Incident Status Location

Virus:Trj/Lowzones.SV Disinfected Operating system
HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 10:01:12 PM, on 9/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SKS~1\chkdsk.exe" -vt tzt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

THANKS AGAIN!

09-25-2006, 11:07 PM	#5 (permalink)
wyrdrune Registered User Join Date: Sep 2006 Posts: 19 OS: XP	Thanks for the quick help. Here are the logs, in order. COMBOFIX - TXT-1 Puraj - 06-09-25 17:38:36.81 Service Pack 1 ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 )))))))))))))))))))))))))))))))))) 2006-09-25 08:06 17,787 --a------ C:\WINDOWS\SYSTEM32\KBDons.dll 2006-09-06 00:16 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll 2006-09-06 00:08 928 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys 2006-09-06 00:07 420,000 -r-hs---- C:\WINDOWS\jivzheh.exe 2006-09-05 15:14 68,608 --a------ C:\WINDOWS\SYSTEM32\olecli32.dll 2006-09-05 15:14 275,456 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll 2006-09-05 15:14 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll 2006-08-25 13:26 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll 2006-08-25 13:26 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101c.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101b.dll 2006-08-25 13:26 5,632 --a------ C:\WINDOWS\SYSTEM32\kbd103.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware 2006-09-25 14:49 -------- d-------- C:\Program Files\Common Files 2006-09-25 07:35 -------- d-------- C:\Program Files\QuickTime 2006-09-25 07:35 -------- d-------- C:\Program Files\iTunes 2006-09-25 07:35 -------- d-------- C:\Program Files\Apoint 2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster 2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-12 15:19 -------- d-------- C:\Program Files\PokerStars 2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft 2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft 2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly 2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free 2006-09-06 00:11 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2006-09-06 00:06 -------- d-------- C:\Program Files\Windows NT 2006-09-06 00:06 -------- d-------- C:\Program Files\ComPlus Applications 2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe 2006-08-14 10:10 -------- d-------- C:\Program Files\Google 2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM 2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aida"="\"C:\\WINDOWS\\SKS~1\\chkdsk.exe\" -vt tzt" "Lzuxfpzj"="C:\\WINDOWS\\SYSTEM32\\?racle\\rundll32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "TCASUTIEXE"="TCAUDIAG -off" "nwiz"="nwiz.exe /installquiet" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe" "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "{C8-86-66-67-ZN}"="c:\\windows\\system32\\okdsregs.exe GEN001" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="C:\\Program Files\\ComPlus Applications\\kyfefyv.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,00 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="C:\\Program Files\\Windows NT\\hocycosyp.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,00 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,ec,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000004 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP748] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748" "backup"="C:\\WINDOWS\\pss\\TFTP748Common Startup" "location"="Common Startup" "command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748" "item"="TFTP748" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="RAVMOND" "hkey"="HKCU" "command"="RAVMOND.exe" "inimapping"="1" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Mon 09/25/2006 17:39:40.52 ComboFix.txt ComboFix2.txt ComboFix3.txt COMBOFIX - TXT-2 Puraj - 06-09-25 21:41:03.92 Service Pack 1 ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Puraj\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 )))))))))))))))))))))))))))))))))) 2006-09-25 08:06 17,787 --a------ C:\WINDOWS\SYSTEM32\KBDons.dll 2006-09-06 00:16 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll 2006-09-06 00:08 928 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys 2006-09-06 00:07 420,000 -r-hs---- C:\WINDOWS\jivzheh.exe 2006-09-05 15:14 68,608 --a------ C:\WINDOWS\SYSTEM32\olecli32.dll 2006-09-05 15:14 275,456 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll 2006-09-05 15:14 1,190,400 --a------ C:\WINDOWS\SYSTEM32\ole32.dll 2006-08-25 13:26 8,704 --a------ C:\WINDOWS\SYSTEM32\kbdjpn.dll 2006-08-25 13:26 8,192 --a------ C:\WINDOWS\SYSTEM32\kbdkor.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd106.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101c.dll 2006-08-25 13:26 6,144 --a------ C:\WINDOWS\SYSTEM32\kbd101b.dll 2006-08-25 13:26 5,632 --a------ C:\WINDOWS\SYSTEM32\kbd103.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-25 17:48 -------- d-------- C:\Program Files\Dell 2006-09-25 15:06 -------- d-------- C:\Program Files\Microsoft AntiSpyware 2006-09-25 14:49 -------- d-------- C:\Program Files\Common Files 2006-09-25 07:35 -------- d-------- C:\Program Files\QuickTime 2006-09-25 07:35 -------- d-------- C:\Program Files\iTunes 2006-09-25 07:35 -------- d-------- C:\Program Files\Apoint 2006-09-21 19:27 -------- d-------- C:\Program Files\SpywareBlaster 2006-09-20 14:00 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-09-12 15:19 -------- d-------- C:\Program Files\PokerStars 2006-09-06 13:19 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-06 12:54 -------- d-------- C:\Program Files\Lavasoft 2006-09-06 12:54 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Lavasoft 2006-09-06 11:53 -------- d-------- C:\Program Files\PCFriendly 2006-09-06 00:30 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-09-06 00:26 -------- d-------- C:\Documents and Settings\Puraj\Application Data\SystemDoctor 2006 Free 2006-09-06 00:11 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2006-09-06 00:06 -------- d-------- C:\Program Files\Windows NT 2006-09-06 00:06 -------- d-------- C:\Program Files\ComPlus Applications 2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe 2006-08-15 13:10 -------- d-------- C:\Documents and Settings\Puraj\Application Data\Adobe 2006-08-14 10:10 -------- d-------- C:\Program Files\Google 2006-08-13 20:04 -------- d-------- C:\Documents and Settings\Puraj\Application Data\AdobeUM 2006-08-13 20:00 -------- d-------- C:\Program Files\Adobe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aida"="\"C:\\WINDOWS\\SKS~1\\chkdsk.exe\" -vt tzt" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "TCASUTIEXE"="TCAUDIAG -off" "nwiz"="nwiz.exe /installquiet" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe" "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="C:\\Program Files\\ComPlus Applications\\kyfefyv.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,00 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="C:\\Program Files\\Windows NT\\hocycosyp.html" "SubscribedURL"="" "FriendlyName"="" "Flags"=dword:00002000 "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\ 03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\ 00,00,01,00,00,00 "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,b0,04,00,00,ec,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000004 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TFTP748] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748" "backup"="C:\\WINDOWS\\pss\\TFTP748Common Startup" "location"="Common Startup" "command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\TFTP748" "item"="TFTP748" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="RAVMOND" "hkey"="HKCU" "command"="RAVMOND.exe" "inimapping"="1" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Mon 09/25/2006 21:42:05.24 ComboFix.txt ComboFix2.txt ComboFix3.txt PANDA SCAN Incident Status Location Virus:Trj/Lowzones.SV Disinfected Operating system HJT LOG Logfile of HijackThis v1.99.1 Scan saved at 10:01:12 PM, on 9/25/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\System32\wuauclt.exe C:\unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SKS~1\chkdsk.exe" -vt tzt O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe THANKS AGAIN! Last edited by wyrdrune; 09-25-2006 at 11:09 PM. Reason: forgot to say thanks