Constant pop ups - Win32/Oneraw!generic and trojan.Caiijing and Backdoor:Win32/Sivuxa

[virusnoob]

"Deckard's System Scanner v20071014.68
Run by user on 2007-12-20 18:25:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-12-20 10:25:39 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:15 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\devices.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caavGUIScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://auditionsea.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 218.28.141.157 bf2web.gamespy.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3401DB32-7F00-4EC7-A890-A75F64973843} - C:\WINDOWS\system32\opnkllk.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {61EBBDEC-C5D2-4536-BE74-1D3AEF3F644A} - C:\WINDOWS\system32\jkkli.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [x1x5161x6] cserv.exe
O4 - HKLM\..\Run: [win32serv] cservs.exe
O4 - HKLM\..\Run: [System Device] devices.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O20 - Winlogon Notify: opnkllk - C:\WINDOWS\SYSTEM32\opnkllk.dll
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8072 bytes

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 Autocomplete (AutoComplete Service) - c:\program files\acesoft\tracks eraser pro\autocomp.exe <Not Verified; Acesoft; AUTOCOMP>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-16 15:00:25 406 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job


-- Files created between 2007-11-20 and 2007-12-20 -----------------------------

2007-12-20 18:26:56 0 d-------- C:\Program Files\Trend Micro
2007-12-19 17:13:31 0 d-------- C:\Program Files\Circle Developement
2007-12-19 16:45:03 196745 --ahs---- C:\WINDOWS\system32\ilkkj.ini2
2007-12-19 16:44:55 322560 --a------ C:\WINDOWS\system32\jkkli.dll
2007-12-19 15:39:35 38912 --a------ C:\WINDOWS\system32\opnkllk.dll
2007-12-19 15:18:40 22321 -r-hs---- C:\WINDOWS\devices.exe
2007-12-19 15:18:37 22321 --a------ C:\device.exe
2007-12-17 17:10:11 0 d-------- C:\Program Files\XMotorRacingDemo
2007-12-17 12:55:59 21821 --a------ C:\pb0.exe
2007-12-14 20:27:27 0 d--h----- C:\WINDOWS\PIF
2007-12-11 23:28:00 1289 --a------ C:\WINDOWS\mozver.dat
2007-12-11 23:19:56 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-11 23:19:51 0 d-------- C:\Documents and Settings\user\Application Data\Mozilla
2007-12-03 15:45:23 0 d-------- C:\Documents and Settings\user\Application Data\DMCache
2007-11-29 1719 0 d-------- C:\Program Files\FlashGet
2007-11-22 21:28:24 0 d-------- C:\Program Files\AuditionSEA
2007-11-20 21:12:02 0 d-------- C:\Program Files\Veoh Networks
2007-11-20 21:11:37 0 d-------- C:\WINDOWS\Downloaded Installations


-- Find3M Report ---------------------------------------------------------------

2007-12-20 17:11:37 0 d-------- C:\Program Files\Norton Security Scan
2007-12-19 17:13:30 0 d-------- C:\Program Files\MSN Messenger
2007-12-19 17:13:30 0 d-------- C:\Program Files\Messenger Plus! Live
2007-12-14 16:04:31 0 d-------- C:\Program Files\Java
2007-12-11 23:28:04 0 d-------- C:\Documents and Settings\user\Application Data\Adobe
2007-11-29 17:09:02 0 d-------- C:\Documents and Settings\user\Application Data\Google
2007-11-22 21:28:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-21 21:02:02 0 d-------- C:\Program Files\DivX
2007-11-18 15:39:54 0 d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2007-11-17 23:01:08 0 d-------- C:\Documents and Settings\user\Application Data\Sun
2007-11-17 22:38:33 0 d-------- C:\Documents and Settings\user\Application Data\Media Player Classic
2007-11-12 21:26:41 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-12 16:51:13 0 d-------- C:\Program Files\Diablo II
2007-11-12 16:34:39 0 d--h----- C:\Documents and Settings\user\Application Data\ijjigame
2007-11-11 17:17:21 0 d-------- C:\Program Files\NHN USA
2007-11-10 19:59:32 0 d-------- C:\Documents and Settings\user\Application Data\Macromedia
2007-11-08 14:58:30 0 d-------- C:\Program Files\Hero Editor
2007-11-07 15:56:36 0 d-------- C:\Program Files\Windows Live
2007-11-04 16:38:00 0 d-------- C:\Program Files\Google
2007-11-04 14:26:26 0 d-------- C:\Program Files\Yahoo!
2007-11-03 20:37:09 0 d-------- C:\Program Files\Common Files\EasyInfo
2007-11-03 20:37:08 0 d-------- C:\Program Files\Common Files
2007-11-03 20:00:07 0 d-------- C:\Program Files\EA GAMES
2007-11-03 19:02:00 0 d-------- C:\Documents and Settings\user\Application Data\Real
2007-11-03 18:34:47 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-11-03 18:33:27 35936 --a------ C:\WINDOWS\DIIUnin.dat
2007-11-03 18:31:03 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-11-03 18:31:03 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-11-03 18:31:03 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-11-03 18:09:28 2829 --a------ C:\WINDOWS\DIIUnin.pif
2007-11-03 18:09:28 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2007-11-03 17:49:36 0 d-------- C:\Program Files\EPSON
2007-11-03 15:11:08 0 d-------- C:\Program Files\Feeding Frenzy 2 Deluxe
2007-09-27 12:08:06 692224 --a------ C:\WINDOWS\system32\ijjiSetup.exe <Not Verified; NHN USA; ijjiSetup Application>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3401DB32-7F00-4EC7-A890-A75F64973843}]
12/19/2007 03:39 PM 38912 --a------ C:\WINDOWS\system32\opnkllk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61EBBDEC-C5D2-4536-BE74-1D3AEF3F644A}]
12/19/2007 04:44 PM 322560 --a------ C:\WINDOWS\system32\jkkli.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [11/02/2007 05:04 PM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [11/02/2007 05:04 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/16/2006 03:35 PM]
"EPSON Stylus C65 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.exe" [11/27/2003 02:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"x1x5161x6"="cserv.exe" []
"win32serv"="cservs.exe" []
"System Device"="devices.exe" [12/19/2007 03:18 PM C:\WINDOWS\devices.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [03/17/2005 11:10 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/07/2004 04:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/08/2007 10:01 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [12/03/2007 01:21 PM]
"@"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3401DB32-7F00-4EC7-A890-A75F64973843}"= C:\WINDOWS\system32\opnkllk.dll [12/19/2007 03:39 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkllk]
opnkllk.dll 12/19/2007 03:39 PM 38912 C:\WINDOWS\system32\opnkllk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- Hosts -----------------------------------------------------------------------

218.28.141.157 bf2web.gamespy.com


-- End of Deckard's System Scanner: finished at 2007-12-20 18:28:47 ------------"

My computer had just being infected with some virus. Few days ago, someone sent me a file call" Image2000-12" on MSN messenger which i go and accept it. Then i open it and nth came out. After a while, the virus activated and it auto sent to my MSN contacts the virus file and my mouse could not move. Then i used my anti-virus programe to scan my computer for any virus, there was a virus called "Win32/Oneraw!generic" which is found in some file infected with it in the location : C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4BRC2IH\.

Then i go a website called "Malware Alarm" and the url is "http://scanner2.malware-scan.com/4_swp/scan.php?ax=&ed=2&tmn=null&aid=
nm_dz_kw4_sg_en_ma4&lid=http&affid=nm_151188_428d65e2ae0611dcade2151
188faffff_96952e3aa941aa3474c7cafaddb6047d&ax=&ed=2&mt_info=4586_0_10987"
to scan my computer for any virus. After scanning, it shows that my computer had three new virus"Trojan.Caiijing, Backdoor:Win32/Sivuxa and Backdoor:Win32/NTRoot" with the alert level High. And there are also times where when i was surfing the internet, there are pop ups and sayings that my computer have illegal porn items. I do not know what is happening to my computer.

I will be very grateful to anybody who can help me with my problems.

[virusnoob]

Bump pls

[sUBs]

Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: (no name) - {3401DB32-7F00-4EC7-A890-A75F64973843} - C:\WINDOWS\system32\opnkllk.dll
O2 - BHO: (no name) - {61EBBDEC-C5D2-4536-BE74-1D3AEF3F644A} - C:\WINDOWS\system32\jkkli.dll
O4 - HKLM\..\Run: [x1x5161x6] cserv.exe
O4 - HKLM\..\Run: [win32serv] cservs.exe
O4 - HKLM\..\Run: [System Device] devices.exe
O20 - Winlogon Notify: opnkllk - C:\WINDOWS\SYSTEM32\opnkllk.dll

Ignore any prompts for a reboot


---------------


www.bleepingcomputer.com
www.forospyware.com
www.geekstogo.com

1. Please choose from any of the above links. Download the file & Save it to Desktop.

2. Double click on ComboFix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[virusnoob]

Thanks for your helpful reply. The text below will be the newest HijackThis log which you had request for it.And the ComboFix log i will attached it to this post.Hope to hear from you soon. Thanks for the help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:43 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hero Editor\Hero Editor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 218.28.141.157 bf2web.gamespy.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [x1x5161x6] cserv.exe
O4 - HKLM\..\Run: [win32serv] cservs.exe
O4 - HKLM\..\Run: [System Device] devices.exe
O4 - HKLM\..\Run: [Microsoft] derservice.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 7511 bytes



ComboFix 07-12-24.7 - user 2007-12-24 18:01:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.103 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\15151.exe
C:\WINDOWS\system32\cphbapyi.dll
C:\WINDOWS\system32\efcyvst.dll
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\iypabhpc.ini
C:\WINDOWS\system32\jhelrlmm.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\mmlrlehj.ini
C:\WINDOWS\system32\NTSVC.ocx
C:\WINDOWS\system32\opnkllk.dll
C:\WINDOWS\system32\rehqlrgs.dll
C:\WINDOWS\system32\tlakgwqb.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 11:54 . 2007-12-23 11:54 57,671 -r-hs---- C:\WINDOWS\systemdevices.exe
2007-12-23 10:57 . 2007-12-23 10:57 <DIR> d-------- C:\WINDOWS\WinBots32
2007-12-22 17:26 . 2007-12-22 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 23:42 . 2007-12-21 23:42 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-21 22:59 . 2007-12-21 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-12-21 22:29 . 2007-12-21 22:29 <DIR> d-------- C:\ie-spyad_zo
2007-12-21 22:20 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-21 22:19 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\jhyrcuptykym.sys
2007-12-21 22:12 . 2007-12-21 23:41 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-21 22:03 . 2007-12-21 22:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-21 22:03 . 2007-12-21 22:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-21 22:03 . 2007-12-21 22:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-21 22:02 . 2007-12-21 22:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-20 18:26 . 2007-12-20 18:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-17 17:10 . 2007-12-19 15:27 <DIR> d-------- C:\Program Files\XMotorRacingDemo
2007-12-16 17:15 . 2007-12-16 17:17 9,729 --a------ C:\WINDOWS\system32\shutdown.zip
2007-12-14 20:27 . 2007-12-14 20:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-11 23:28 . 2007-12-14 15:39 1,289 --a------ C:\WINDOWS\mozver.dat
2007-12-11 23:19 . 2007-12-11 23:19 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-03 15:45 . 2007-12-03 15:49 <DIR> d-------- C:\Documents and Settings\user\Application Data\DMCache
2007-11-29 17:06 . 2007-11-29 19:08 <DIR> d-------- C:\Program Files\FlashGet
2007-11-29 17:06 . 2004-08-07 04:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 09:42 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-24 09:42 --------- d-----w C:\Program Files\Diablo II
2007-12-23 04:47 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-21 14:33 --------- d-----w C:\Program Files\Real Alternative
2007-12-21 14:33 --------- d-----w C:\Program Files\MSN Messenger
2007-12-21 14:29 --------- d-----w C:\Program Files\Google
2007-12-21 13:40 --------- d-----w C:\Program Files\Norton Security Scan
2007-12-14 08:04 --------- d-----w C:\Program Files\Java
2007-11-22 13:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-22 13:28 --------- d-----w C:\Program Files\AuditionSEA
2007-11-21 13:02 --------- d-----w C:\Program Files\DivX
2007-11-20 13:12 --------- d-----w C:\Program Files\Veoh Networks
2007-11-18 07:39 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2007-11-17 14:38 --------- d-----w C:\Documents and Settings\user\Application Data\Media Player Classic
2007-11-12 08:34 --------- d--h--w C:\Documents and Settings\user\Application Data\ijjigame
2007-11-11 09:17 --------- d-----w C:\Program Files\NHN USA
2007-11-08 06:58 --------- d-----w C:\Program Files\Hero Editor
2007-11-06 12:08 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-05 08:38 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-11-04 06:26 --------- d-----w C:\Program Files\Yahoo!
2007-11-03 12:37 --------- d-----w C:\Program Files\Common Files\EasyInfo
2007-11-03 12:00 --------- d-----w C:\Program Files\EA GAMES
2007-11-03 10:34 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-03 10:34 249,856 ------w C:\WINDOWS\Setup1.exe
2007-11-03 10:31 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2007-11-03 10:31 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2007-11-03 10:31 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2007-11-03 10:09 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2007-11-03 09:49 --------- d-----w C:\Program Files\EPSON
2007-11-03 09:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-11-03 07:11 --------- d-----w C:\Program Files\Feeding Frenzy 2 Deluxe
2007-11-02 09:04 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll
2007-11-02 09:04 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll
2007-11-02 09:04 75,280 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-11-02 09:04 32,528 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-11-02 09:04 26,640 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2007-11-02 09:04 21,648 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-11-02 09:04 21,392 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-27 04:08 692,224 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3401DB32-7F00-4EC7-A890-A75F64973843}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B027EB2-71F7-47EB-8312-3E1B3365D4E9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-07 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 22:01]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-03 13:21]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-02 17:04]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-11-02 17:04]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-07 04:00 C:\WINDOWS\system32\rundll32.exe]
"EPSON Stylus C65 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.exe" [2003-11-27 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-07 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 04:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 14:23]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 07:00:25 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 18:10:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 18:11:59 - machine was rebooted

[sUBs]

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/204291-constant-pop-ups-win32-oneraw-generic-trojan-caiijing-backdoor-win32-sivuxa.html
Collect::
C:\WINDOWS\systemdevices.exe
File::
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\drivers\jhyrcuptykym.sys
Folder::
C:\WINDOWS\WinBots32
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3401DB32-7F00-4EC7-A890-A75F64973843}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B027EB2-71F7-47EB-8312-3E1B3365D4E9}]

Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:

1. Fresh Hijackthis log taken just before replying
2. Online scan
3. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[virusnoob]

Thanks for your helpful reply.

The text below will be the HijackThis log. and the ComboFix log and the KasperskyOnline scan log i will attached them to my post.Hope to hear from you soon. Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:40 PM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8212 bytes


ComboFix 07-12-24.7 - user 2007-12-25 16:41:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.136 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drivers\jhyrcuptykym.sys
C:\WINDOWS\system32\mcrh.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\jhyrcuptykym.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\systemdevices.exe
C:\WINDOWS\WinBots32
C:\WINDOWS\WinBots32\23-12-2007.10-57-22.bot

.
((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.

2007-12-24 21:07 . 2007-12-25 16:42 <DIR> d-------- C:\Documents and Settings\user\Application Data\Hamachi
2007-12-24 21:06 . 2007-12-24 21:07 <DIR> d-------- C:\Program Files\Hamachi
2007-12-24 21:06 . 2007-12-24 21:06 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-12-24 20:04 . 2007-12-24 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-24 18:30 . 2007-12-24 18:30 <DIR> d-------- C:\Program Files\Windows Live
2007-12-24 18:30 . 2007-12-24 18:30 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-12-24 18:30 . 2007-12-24 18:30 <DIR> d-------- C:\Program Files\Circle Developement
2007-12-22 17:26 . 2007-12-22 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 22:59 . 2007-12-21 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-12-21 22:29 . 2007-12-21 22:29 <DIR> d-------- C:\ie-spyad_zo
2007-12-21 22:20 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-21 22:12 . 2007-12-21 23:41 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-21 22:03 . 2007-12-21 22:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-21 22:03 . 2007-12-21 22:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-21 22:03 . 2007-12-21 22:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-21 22:02 . 2007-12-21 22:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-20 18:26 . 2007-12-20 18:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-17 17:10 . 2007-12-19 15:27 <DIR> d-------- C:\Program Files\XMotorRacingDemo
2007-12-16 17:15 . 2007-12-16 17:17 9,729 --a------ C:\WINDOWS\system32\shutdown.zip
2007-12-14 20:27 . 2007-12-14 20:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-11 23:28 . 2007-12-14 15:39 1,289 --a------ C:\WINDOWS\mozver.dat
2007-12-11 23:19 . 2007-12-11 23:19 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-03 15:45 . 2007-12-03 15:49 <DIR> d-------- C:\Documents and Settings\user\Application Data\DMCache
2007-11-29 17:06 . 2007-11-29 19:08 <DIR> d-------- C:\Program Files\FlashGet
2007-11-29 17:06 . 2004-08-07 04:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 08:35 --------- d-----w C:\Program Files\Diablo II
2007-12-25 08:33 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-24 10:30 --------- d-----w C:\Program Files\MSN Messenger
2007-12-23 04:47 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-21 14:33 --------- d-----w C:\Program Files\Real Alternative
2007-12-21 14:29 --------- d-----w C:\Program Files\Google
2007-12-21 13:40 --------- d-----w C:\Program Files\Norton Security Scan
2007-12-14 08:04 --------- d-----w C:\Program Files\Java
2007-11-22 13:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-22 13:28 --------- d-----w C:\Program Files\AuditionSEA
2007-11-21 13:02 --------- d-----w C:\Program Files\DivX
2007-11-20 13:12 --------- d-----w C:\Program Files\Veoh Networks
2007-11-18 07:39 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2007-11-17 14:38 --------- d-----w C:\Documents and Settings\user\Application Data\Media Player Classic
2007-11-12 08:34 --------- d--h--w C:\Documents and Settings\user\Application Data\ijjigame
2007-11-11 09:17 --------- d-----w C:\Program Files\NHN USA
2007-11-08 06:58 --------- d-----w C:\Program Files\Hero Editor
2007-11-06 12:08 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-05 08:38 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-11-04 06:26 --------- d-----w C:\Program Files\Yahoo!
2007-11-03 12:37 --------- d-----w C:\Program Files\Common Files\EasyInfo
2007-11-03 12:00 --------- d-----w C:\Program Files\EA GAMES
2007-11-03 10:34 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-03 10:34 249,856 ------w C:\WINDOWS\Setup1.exe
2007-11-03 10:31 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2007-11-03 10:31 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2007-11-03 10:31 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2007-11-03 10:09 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2007-11-03 09:49 --------- d-----w C:\Program Files\EPSON
2007-11-03 09:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-11-03 07:11 --------- d-----w C:\Program Files\Feeding Frenzy 2 Deluxe
2007-11-02 09:04 99,904 ----a-w C:\WINDOWS\system32\isafeif.dll
2007-11-02 09:04 79,424 ----a-w C:\WINDOWS\system32\vetredir.dll
2007-11-02 09:04 75,280 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-11-02 09:04 32,528 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-11-02 09:04 26,640 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2007-11-02 09:04 21,648 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-11-02 09:04 21,392 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-27 04:08 692,224 ----a-w C:\WINDOWS\system32\ijjiSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-07 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 22:01]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-03 13:21]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-11-02 17:04]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-11-02 17:04]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-07 04:00 C:\WINDOWS\system32\rundll32.exe]
"EPSON Stylus C65 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.exe" [2003-11-27 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2007-12-24 2148]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-07 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 04:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 14:23]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 07:00:25 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 16:44:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-25 16:44:52
C:\ComboFix2.txt ... 2007-12-24 18:11


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 25, 2007 6:59:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/12/2007
Kaspersky Anti-Virus database records: 493349
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 33334
Number of viruses found: 5
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 00:44:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\bingchong_93@hotmail.com\SharingMetadata\activitylog.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\bingchong_93@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\bingchong_93@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\bingchong_93@hotmail.com\SharingMetadata\Working\database_E2A0_383B_A038_190D\dfsr.db Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\bingchong_93@hotmail.com\SharingMetadata\Working\database_E2A0_383B_A038_190D\fsr.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\bingchong_93@hotmail.com\SharingMetadata\Working\database_E2A0_383B_A038_190D\tmp.edb Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Live Contacts\bingchong_93@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Live Contacts\bingchong_93@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007122520071226\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF1768.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF1923.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF1E89.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF28FE.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF290A.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF3D47.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF3DA6.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DFCF4C.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DFCF81.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Diablo II\BnetLog.txt Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\cphbapyi.dll.vir Infected: Backdoor.Win32.Agent.dlj skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\efcyvst.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jhelrlmm.dll.vir Infected: Backdoor.Win32.Agent.dlj skipped
C:\qoobox\Quarantine\C\WINDOWS\WinBots32\23-12-2007.10-57-22.bot.vir Infected: Backdoor.Win32.SdBot.cok skipped