Hello and welcome to TSF.:smile:

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having problems, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

Thank you for your patience.

 

Here is the new log, thanks again for your help. Hopefully if I enter the Academy and learn fast enough, I can help you guys out with all these logs =\



<
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:56 PM, on 29/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Initio\AcomData PushButton Manager v1.10\inihid_xp.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [tasa] C:\DOCUME~1\ycchen\LOCALS~1\Temp\taso.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - Startup: AcomData PushButton Manager.lnk = %APPDATA%\Microsoft\Installer\{3EB255B0-0707-4A8E-8044-B4B51A36CEDA}\_124305e.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm492YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c....microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093971347000
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7909 bytes
>

 

Hi,

It appears that you are infected with a password stealing trojan. If this computer is ever used for on-line banking, or shopping, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

===========================

You seem to be running two antivirus applications, i.e. Yahoo Antivirus and McAfee. You'll have to decide on one and remove the other via Add or Remove Programs in Control Panel. Multiple antivirus programs can bog down your system, interfere with each other, and may even cause crashes.

===========================

Scan with HijackThis and put a checkmark against the following entries:

O4 - HKLM\..\Run: [tasa] C:\DOCUME~1\ycchen\LOCALS~1\Temp\taso.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm492YYUS

Close all browsers/windows other than HijackThis and click on "fix checked". Exit HijackThis.

===========================

Download Combofix from one of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Open notepad (Start>All programs>accessories>notepad ). and copy/paste the text in the quotebox below into it (It must be notepad, not wordpad, or it won't work):

File::
C:\WINDOWS\system32\kavo.exe
C:\DOCUME~1\ycchen\LOCALS~1\Temp\taso.exe

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

<
ComboFix 07-12-31.4 - ycchen 2007-12-31 12:17:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.603 [GMT -8:00]
Running from: C:\Documents and Settings\ycchen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ycchen\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\DOCUME~1\ycchen\LOCALS~1\Temp\taso.exe
C:\WINDOWS\system32\kavo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\del.bat
C:\WINDOWS\system32\kavo.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 12:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-29 00:21 . 2007-12-22 00:51 116,009 -r-hs---- C:\erdeIect.com
2007-12-28 23:43 . 2007-12-28 23:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-28 23:02 . 2004-08-03 22:59 43,136 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2007-12-28 23:02 . 2004-08-03 22:59 43,136 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2007-12-25 21:26 . 2007-12-25 21:26 <DIR> d-------- C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
2007-12-25 20:44 . 2007-12-25 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-24 23:22 . 2007-12-25 14:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-24 23:22 . 2007-12-25 13:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-24 23:22 . 2007-12-25 13:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-24 23:22 . 2007-12-25 13:30 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-24 21:25 . 2007-12-24 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 22:08 . 2007-12-31 09:15 <DIR> d-------- C:\QUARANTINE
2007-12-22 21:59 . 2007-12-22 21:59 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-12-22 21:59 . 2007-12-22 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-22 21:59 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-12-22 21:59 . 2007-08-13 20:50 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-22 21:59 . 2007-08-13 20:50 72,712 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-22 21:59 . 2007-08-13 20:50 64,168 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-22 21:59 . 2007-08-13 20:50 52,200 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-22 21:59 . 2007-08-13 20:50 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-22 21:59 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2007-12-22 21:58 . 2007-12-22 21:59 <DIR> d-------- C:\Program Files\McAfee
2007-12-22 21:58 . 2007-12-22 21:58 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-23 18:33 . 2007-11-23 18:33 <DIR> d-------- C:\Documents and Settings\ycchen\Application Data\Viewpoint
2007-11-13 23:26 . 2007-11-13 23:26 450,560 --a------ C:\WINDOWS\system32\SET4D.tmp
2007-11-07 21:57 . 2007-10-03 22:18 797,008 --a------ C:\WINDOWS\system32\1.wmv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 08:01 --------- d-----w C:\Documents and Settings\ycchen\Application Data\Skype
2007-12-25 05:31 --------- d-----w C:\Program Files\Viewpoint
2007-12-23 05:57 --------- d-----w C:\Program Files\Network Associates
2007-12-18 06:59 --------- d-----w C:\Program Files\Lexmark 1200 Series
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\shell32(2)(2).dll
2006-08-06 05:30 6,064 -c--a-w C:\Documents and Settings\All Users\Application Data\YPInfo.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2003-07-16 08:16 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 20:39 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 20:39 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 20:39 455168]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-10 10:56 180269]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 01:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 01:52 122880]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
"UMonit"="C:\WINDOWS\system32\umonit.exe" [2003-05-20 18:21 49152]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2005-12-23 10:36 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2005-12-23 10:36 185456]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-08-13 20:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 11:28 684032 --a------ C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-03-15 23:07 57344 --a------ C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 19:05 204288 --------- C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 16:19 129536 --a------ C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC]
2005-02-11 18:14 352256 --a------ C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe

R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-02-06 18:23]
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ousbehci.sys [2003-08-01 05:45]
S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys [2003-04-20 21:37]
S3 inigpio;Initio GPIO Controller Driver;C:\WINDOWS\system32\DRIVERS\inigpio.sys [2004-05-10 15:59]
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys [2002-12-13 00:06]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2003-08-01 05:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\erdeIect.com
\Shell\explore\Command - C:\erdeIect.com
\Shell\open\Command - C:\erdeIect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93126070-71af-11d9-9b08-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b452da10-b06a-11dc-a095-00038a000015}]
\Shell\AutoRun\command - E:\ntdelect.com
\Shell\explore\Command - E:\ntdeIect.com
\Shell\open\Command - E:\ntdeIect.com

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 12:21:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = C:\WINDOWS\system32\umonit.exe?0781&Pid_8?????VID808?????W?D?USB\RO8???UB?0??????????????????????????????????tq??l????|p??????m??d?w?????????W?B$?|????*?,??W????????????????????????????????????????tq??????T??????????tq??????"????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 12:22:45
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 20:22:30
.
2007-12-22 17:02:02 --- E O F ---
>











<
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:16 PM, on 31/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Initio\AcomData PushButton Manager v1.10\inihid_xp.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AcomData PushButton Manager.lnk = %APPDATA%\Microsoft\Installer\{3EB255B0-0707-4A8E-8044-B4B51A36CEDA}\_124305e.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c....microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093971347000
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7790 bytes
>

 

Hi,

You seem to be running two antivirus applications, i.e. Yahoo Antivirus and McAfee. You'll have to decide on one and remove the other via Add or Remove Programs in Control Panel. Multiple antivirus programs can bog down your system, interfere with each other, and may even cause crashes.

I am still seeing the two antivirus applications. Did you miss my instructions, or did you have problem removing one of them?

================================

Please go to Start>Control Panel>Add or Remove Programs and remove:

Viewpoint

================================

Is E:\ your thumbdrive? If it is, either have it attached while you run the Combofix or delete the following file from your thumbdrive manually:

E:\ntdelect.com

================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it:

File::
C:\erdeIect.com
C:\WINDOWS\system32\SET4D.tmp
E:\ntdelect.com

Folder::
C:\Documents and Settings\ycchen\Application Data\Viewpoint
C:\Program Files\Viewpoint

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b452da10-b06a-11dc-a095-00038a000015}]

Suspect::
C:\WINDOWS\system32\1.wmv

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply and a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

 

When you're done with the above instructions, please do this too:

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop in txt format.

Copy and paste that information from Kapersky in your next post.


*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

 

I couldn't find the other anti-virus at first, but after some searching I removed the Yahoo one.

However, I couldn't find Viewpoint in the Add/Remove programs window. E:\ is indeed the thumbdrive; however there is one thing I forgot to mention. My dad first started noticing problems after using a thumbdrive my uncle lent him, which has led us to believe the thumbdrive was infected and spread to our laptop.

I checked the thumbdrives we have and they don't have the file you specified.


Here are the logs:


<

ComboFix 07-12-31.4 - ycchen 2008-01-01 21:46:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.655 [GMT -8:00]
Running from: C:\Documents and Settings\ycchen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ycchen\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\erdeIect.com
C:\WINDOWS\system32\SET4D.tmp
E:\ntdelect.com
.

((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2007-12-31 12:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-28 23:43 . 2007-12-28 23:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-28 23:02 . 2004-08-03 22:59 43,136 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2007-12-28 23:02 . 2004-08-03 22:59 43,136 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2007-12-25 21:26 . 2007-12-25 21:26 <DIR> d-------- C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
2007-12-25 20:44 . 2007-12-25 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-24 23:22 . 2007-12-25 14:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-24 23:22 . 2007-12-25 13:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-24 23:22 . 2007-12-25 13:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-24 23:22 . 2007-12-25 13:30 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-24 21:25 . 2007-12-24 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 22:08 . 2007-12-31 09:15 <DIR> d-------- C:\QUARANTINE
2007-12-22 21:59 . 2007-12-22 21:59 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-12-22 21:59 . 2007-12-22 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-22 21:59 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-12-22 21:59 . 2007-08-13 20:50 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-22 21:59 . 2007-08-13 20:50 72,712 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-22 21:59 . 2007-08-13 20:50 64,168 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-22 21:59 . 2007-08-13 20:50 52,200 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-22 21:59 . 2007-08-13 20:50 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-22 21:59 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2007-12-22 21:58 . 2007-12-22 21:59 <DIR> d-------- C:\Program Files\McAfee
2007-12-22 21:58 . 2007-12-22 21:58 <DIR> d-------- C:\Program Files\Common Files\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 05:03 --------- d-----w C:\Program Files\Yahoo!
2008-01-02 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-02 05:01 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-01 09:04 --------- d-----w C:\Documents and Settings\ycchen\Application Data\Skype
2007-12-23 05:57 --------- d-----w C:\Program Files\Network Associates
2007-12-18 06:59 --------- d-----w C:\Program Files\Lexmark 1200 Series
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\shell32(2)(2).dll
2006-08-06 05:30 6,064 -c--a-w C:\Documents and Settings\All Users\Application Data\YPInfo.bin
.

((((((((((((((((((((((((((((( snapshot@2007-12-31_12.21.42.97 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-29 02:43:48 85,776 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-01-02 04:32:37 85,776 ----a-w C:\WINDOWS\system32\nvModes.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2003-07-16 08:16 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 20:39 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 20:39 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 20:39 455168]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-10 10:56 180269]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 01:52 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 01:52 122880]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
"UMonit"="C:\WINDOWS\system32\umonit.exe" [2003-05-20 18:21 49152]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-08-13 20:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-02-11 08:56 3067904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 11:28 684032 --a------ C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-03-15 23:07 57344 --a------ C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 19:05 204288 --------- C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 16:19 129536 --a------ C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC]
C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe

R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-02-06 18:23]
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ousbehci.sys [2003-08-01 05:45]
S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys [2003-04-20 21:37]
S3 inigpio;Initio GPIO Controller Driver;C:\WINDOWS\system32\DRIVERS\inigpio.sys [2004-05-10 15:59]
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys [2002-12-13 00:06]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2003-08-01 05:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93126070-71af-11d9-9b08-00038a000015}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 21:47:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 21:48:50
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 05:48:35
C:\qoobox\ComboFix2.txt 2008-01-02 05:27:24
C:\qoobox\ComboFix3.txt 2007-12-31 20:22:46
.
2007-12-22 17:02:02 --- E O F ---
>











Tuesday, January 01, 2008 11:41:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/01/2008
Kaspersky Anti-Virus database records: 468373


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 62947
Number of viruses found 2
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 01:14:18

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DRCHENCADMASTER.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_DRCHENCADMASTER.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\03e56b0aecec039b521f5357d5a8f287_0dc68736-d476-4a05-9c5c-808235edb376 Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\ycchen\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ycchen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ycchen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ycchen\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ycchen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ycchen\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ycchen\NTUSER.DAT.LOG Object is locked skipped

C:\Program Files\SBC Self Support Tool\SmartBridge\AlertFilter.log Object is locked skipped

C:\Program Files\SBC Self Support Tool\SmartBridge\log\httpclient.log Object is locked skipped

C:\Program Files\SBC Self Support Tool\SmartBridge\SmartBridge.log Object is locked skipped

C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.bdl skipped

C:\QooBox\Quarantine\C\erdeIect.com.vir Infected: Trojan-PSW.Win32.OnLineGames.mab skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.mab skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{FECD3BEC-2C09-4FEF-8447-26E2A71AB4A1}\RP586\A0101983.exe Infected: Trojan-PSW.Win32.OnLineGames.mab skipped

C:\System Volume Information\_restore{FECD3BEC-2C09-4FEF-8447-26E2A71AB4A1}\RP586\A0101984.inf Infected: Worm.Win32.AutoRun.bdl skipped

C:\System Volume Information\_restore{FECD3BEC-2C09-4FEF-8447-26E2A71AB4A1}\RP587\A0102262.com Infected: Trojan-PSW.Win32.OnLineGames.mab skipped

C:\System Volume Information\_restore{FECD3BEC-2C09-4FEF-8447-26E2A71AB4A1}\RP588\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{9E45389C-F630-45B8-BA8A-DABB4049B2A7}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

Hi,

Before we proceed further, I would like you to have the following files scanned.

Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath:

C:\WINDOWS\system32\shell32(2)(2).dll

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

Do the same for

C:\WINDOWS\system32\1.wmv

and let me know of the results and how the computer is running now, please.

 

File: shell32(2)(2).dll
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: bc061480f01eab948744c6c5e24fb7a8
Packers detected: -
Bit9 reports: No threat detected (more info)

Scan taken on 03 Jan 2008 06:30:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Last file scanned at least one scanner reported something about: all_meemans_trainers50020.zip (MD5: 0ab75bddba5dcf20f494da6451563d76, size: 1307829 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Drop.Agent.dha
ArcaVir X
Avast X
AVG Antivirus HackTool.AID
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet CheatEng.A!tr
Ikarus HackTool.Win32.Delf.bw
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus Hack.Delf.fv
Sophos Antivirus Troj/CheatEng-A
VirusBuster X
VBA32 X








File: 1.wmv
Status: OK
MD5: 82e077abc9defd984d398f2b8cb41c77
Packers detected: -
Bit9 reports: Not analyzed yet

Scan taken on 03 Jan 2008 06:46:40 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


The computer so far runs fine, although I have avoided running it most of the time. Is there anything else I should do, or am I in the clear?

 

Last file scanned at least one scanner reported something about: all_meemans_trainers50020.zip (MD5: 0ab75bddba5dcf20f494da6451563d76, size: 1307829 bytes), detected by:

Where did you get this file from? I don't remember seeing it in any of the logs.

 

I used the second scanner you gave me, because the load on the first was too large.

I wasn't sure which parts of the results were part of the report, so I just copied everything that looked like the report. I'm not sure if the file is on the computer or not...

 

Hi,



Both scanners are fine. I just couldn't understand why you had the results for a file which you were not asked to submit. You can use Windows' search function to find out if the file is on the computer or not.

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /
  
  
  
  
  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here .


If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing! :smile:

 

Sorry for the delay. My last post was made at home, and I have since returned to school, so I have not been able to access my dad's laptop.

Thank you for the help, I'll ssh into it tomorrow and let you know!