Tech Support Forum banner
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
I posted a problem re nepalloid

http://www.techsupportforum.com/f50/nepalloid-374779.html

and here is my analysis and attachments


DDS (Ver_09-03-16.01) - NTFSx86
Run by barrett at 13:42:56.59 on Wed 13/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.247.68 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\program files\Telstra\Signup\tbpt.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDP.EXE
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\barrett\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.uow.edu.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Page = hxxp://www.uow.edu.au/
mStart Page = hxxp://www.uow.edu.au/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uWindows: load=c:\oplimit\ocraware.exe
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [EPSON TX100 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiedp.exe /fu "c:\windows\temp\E_S95.tmp" /EF "HKCU"
uRun: [Runmeinit] c:\windows\system32\nepalloid.bat
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] c:\program files\telstra\signup\tbpt.exe
mRun: [Nokia Connection Monitor] "c:\program files\common files\nokia\ncltools\NclConf.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [CaISSDT] "c:\program files\ca\etrust internet security suite\caissdt.exe"
mRun: [CreativeMouse ] c:\program files\mouse driver\MouseDrv.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [!CleanupNetMeetingDispDriver] "c:\windows\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxps://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194220555663
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194220471319
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: avgrsstx.dll c:\progra~1\google\google~3\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2008-7-1 4064]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-2 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-2 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-2 108552]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 NokiaSuite3;NokiaSuite3;c:\windows\system32\drivers\NokiaSuite3.sys [2005-5-19 837696]
R3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2007-11-1 666624]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S1 VETEFILE;VET File Scan Engine; [x]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S3 CardPro;Smart Silicon Systems CardPro Serial Smart Card Reader;c:\windows\system32\drivers\ssscpsw.sys --> c:\windows\system32\drivers\ssscpsw.sys [?]
S3 CardProUSB;Smart Silicon Systems CardPro USB Smart Card Reader;c:\windows\system32\drivers\ssscpuw.sys --> c:\windows\system32\drivers\ssscpuw.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-11-14 29744]
S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2007-6-2 174864]
S3 USBVSP;USBVSP;c:\windows\system32\drivers\usbvsp.sys [2005-4-14 89856]
S3 VETEBOOT;VET Boot Scan Engine; [x]

=============== Created Last 30 ================

2009-05-13 13:35 10,249 a------- C:\http.docx
2009-04-24 14:36 <DIR> --d----- c:\program files\XoftSpySE
2009-04-24 14:32 3,337,664 a------- c:\temp\XoftSpySE_Setup_RW.exe
2009-04-23 17:04 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-23 12:33 <DIR> --d----- c:\documents and settings\barrett\.housecall6.6
2009-04-23 12:11 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-18 14:55 <DIR> --d----- c:\program files\ABBYY FineReader 6.0
2009-04-18 14:55 <DIR> --d----- c:\program files\ABBYY FineReader 5.0 Sprint
2009-04-18 14:17 101 a------- c:\windows\lexstat.ini
2009-04-18 14:13 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-04-18 14:13 87,040 a------- c:\windows\system32\dllcache\wiafbdrv.dll
2009-04-18 14:13 352,256 a------- c:\windows\system32\LXBKUTIL.DLL
2009-04-18 14:13 69,632 a------- c:\windows\system32\lxbkscin.dll
2009-04-18 14:13 983,101 a------- c:\windows\system32\LXBKGF.DLL
2009-04-18 14:13 57,344 a------- c:\windows\system32\lxbkcinf.dll
2009-04-18 14:13 49,152 a------- c:\windows\system32\lxbkcoin.dll
2009-04-18 14:13 266 a------- c:\windows\system32\lxbkcoin.ini
2009-04-18 14:12 454,656 a------- c:\windows\system32\LXBKJSWR.DLL
2009-04-18 14:12 <DIR> --d----- c:\program files\Lexmark X1100 Series

==================== Find3M ====================

2009-05-12 07:16 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-12 07:16 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-12 07:15 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-02 08:52 39,342 a--shr-- c:\windows\system32\nepalloid.vbe
2009-04-02 08:52 4,185 a--shr-- c:\windows\system32\nepalloid.bat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2007-11-05 11:16 2,188,064 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-11-05 11:16 38,432 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 13:45:32.39 ===============
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
 

·
Registered
Joined
·
7 Posts
Attached is the Combofix Log FIle

ComboFix 09-05-13.02 - barrett 14/05/2009 16:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.247.54 [GMT 10:00]
Running from: c:\documents and settings\barrett\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\hosts
c:\windows\patch.exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-13 10:44 . 2009-05-13 10:45 -------- d-----w C:\Techsupport
2009-04-24 04:36 . 2009-05-10 01:40 -------- d-----w c:\program files\XoftSpySE
2009-04-24 04:32 . 2009-04-24 03:54 3337664 ----a-w c:\temp\XoftSpySE_Setup_RW.exe
2009-04-23 07:04 . 2007-08-01 12:47 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-23 02:33 . 2009-04-23 07:46 -------- d-----w c:\documents and settings\barrett\.housecall6.6
2009-04-18 04:55 . 2009-04-18 04:55 -------- d-----w c:\program files\ABBYY FineReader 6.0
2009-04-18 04:55 . 2009-04-18 04:57 -------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint
2009-04-18 04:13 . 2001-08-17 12:36 87040 ----a-w c:\windows\system32\dllcache\wiafbdrv.dll
2009-04-18 04:13 . 2001-08-17 12:36 87040 ----a-w c:\windows\system32\wiafbdrv.dll
2009-04-18 04:13 . 2003-08-19 14:29 352256 ----a-w c:\windows\system32\LXBKUTIL.DLL
2009-04-18 04:13 . 2003-08-18 15:56 69632 ----a-w c:\windows\system32\lxbkscin.dll
2009-04-18 04:13 . 2002-08-22 19:14 983101 ----a-w c:\windows\system32\LXBKGF.DLL
2009-04-18 04:13 . 2003-08-18 15:56 49152 ----a-w c:\windows\system32\lxbkcoin.dll
2009-04-18 04:13 . 2003-08-18 15:56 57344 ----a-w c:\windows\system32\lxbkcinf.dll
2009-04-18 04:12 . 2003-08-19 14:41 454656 ----a-w c:\windows\system32\LXBKJSWR.DLL
2009-04-18 04:12 . 2009-04-26 00:32 -------- d-----w c:\program files\Lexmark X1100 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 05:40 . 2008-03-20 03:42 -------- d-----w c:\program files\SPSS
2009-05-11 21:16 . 2008-06-02 03:17 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-11 21:16 . 2008-06-02 03:17 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-11 21:15 . 2008-06-02 03:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-25 01:17 . 2005-05-18 05:32 -------- d-----w c:\program files\Nokia
2009-04-25 01:17 . 2004-08-20 06:17 -------- d-----w c:\program files\Common Files\Nokia
2009-04-25 01:17 . 2006-02-01 03:08 -------- d-----w c:\program files\Common Files\PCSuite
2009-04-23 02:11 . 2008-03-07 02:27 -------- d-----w c:\program files\Java
2009-04-14 01:04 . 2009-04-08 05:55 -------- d-----w c:\program files\Spyware Cleaner
2009-04-08 06:01 . 2004-12-06 03:05 -------- d-----w c:\program files\Lavasoft
2009-04-08 03:07 . 2009-04-08 03:07 1025 ----a-w c:\windows\system32\clauth2.dll
2009-04-08 03:07 . 2009-04-08 03:07 1025 ----a-w c:\windows\system32\clauth1.dll
2009-04-01 22:52 . 2009-04-01 22:52 4185 --sha-r c:\windows\system32\nepalloid.bat
2009-04-01 22:52 . 2009-04-01 22:52 39342 --sha-r c:\windows\system32\nepalloid.vbe
2009-03-29 00:03 . 2004-09-29 07:34 89728 -c--a-w c:\documents and settings\barrett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 06:13 . 2009-03-28 06:13 -------- d-----w c:\program files\Microsoft Works
2009-03-28 06:12 . 2009-03-28 06:12 -------- d-----w c:\program files\MSBuild
2009-03-28 06:05 . 2009-03-28 06:05 -------- d-----w c:\program files\Microsoft.NET
2009-03-28 05:35 . 2009-03-28 05:35 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-03-22 01:29 . 2009-03-22 01:29 -------- d-----w c:\program files\activePDF
2009-03-08 19:19 . 2009-01-19 22:45 410984 ----a-w c:\windows\system32\deploytk.dll
2007-11-05 01:16 . 2007-06-02 04:31 2188064 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-11-05 01:16 . 2007-06-02 04:31 38432 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-04 68856]
"EPSON TX100 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEDP.EXE" [2008-02-05 188928]
"Runmeinit"="c:\windows\system32\nepalloid.bat" [2009-04-01 4185]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}"="c:\program files\Telstra\Signup\tbpt.exe" [2002-12-09 94208]
"Nokia Connection Monitor"="c:\program files\Common Files\Nokia\NCLTools\NclConf.exe" [2002-05-08 143360]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 176128]
"CaISSDT"="c:\program files\CA\eTrust Internet Security Suite\caissdt.exe" [2005-12-29 165416]
"CreativeMouse "="c:\program files\Mouse Driver\MouseDrv.exe" [2004-06-27 503808]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-14 29744]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 21:16 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [1/07/2008 2:26 PM 4064]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/06/2008 1:17 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/06/2008 1:17 PM 108552]
R2 NokiaSuite3;NokiaSuite3;c:\windows\system32\drivers\NokiaSuite3.sys [19/05/2005 12:35 PM 837696]
R3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [1/11/2007 11:11 AM 666624]
S3 CardPro;Smart Silicon Systems CardPro Serial Smart Card Reader;c:\windows\system32\DRIVERS\ssscpsw.sys --> c:\windows\system32\DRIVERS\ssscpsw.sys [?]
S3 CardProUSB;Smart Silicon Systems CardPro USB Smart Card Reader;c:\windows\system32\DRIVERS\ssscpuw.sys --> c:\windows\system32\DRIVERS\ssscpuw.sys [?]
S3 USBVSP;USBVSP;c:\windows\system32\drivers\usbvsp.sys [14/04/2005 11:40 AM 89856]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - EPSON_EB_RPCV4_01
*Deregistered* - EPSON_PM_RPCV4_01
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - InCDsrv
*Deregistered* - InCDsrvR
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - mnmsrvc
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SCardSvr
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b1dd2af-9cdc-11dd-9040-00095bb2a3b1}]
\Shell\Autoplay\Command - F:\nepalloid.bat
\Shell\AutoRun\command - F:\nepalloid.bat
\Shell\explore\Command - F:\nepalloid.bat
\Shell\find\Command - F:\nepalloid.bat
\Shell\open\Command - F:\nepalloid.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dd06bd6-35b4-11dc-8fc4-0002e3322bb5}]
\Shell\Autoplay\Command - G:\nepalloid.bat
\Shell\AutoRun\command - G:\nepalloid.bat
\Shell\explore\Command - G:\nepalloid.bat
\Shell\find\Command - G:\nepalloid.bat
\Shell\open\Command - G:\nepalloid.bat

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-09-14 01:24]

2009-05-14 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-04-21 19:45]

2009-05-08 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-04-21 19:45]

2009-05-14 c:\windows\Tasks\{ADB41BF9-032E-4312-8B4C-650911494CAB}_SERVER_barrett.job
- c:\windows\system32\mobsync.exe [2008-07-08 07:56]

2009-05-13 c:\windows\Tasks\{AE732BAC-965F-4174-898F-D6DE4A638C7E}_SERVER_barrett.job
- c:\windows\system32\mobsync.exe [2008-07-08 07:56]

2009-05-08 c:\windows\Tasks\{C16EE357-A280-47B5-9EFE-C7E83E12E0E6}_SERVER_barrett.job
- c:\windows\system32\mobsync.exe [2008-07-08 07:56]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uow.edu.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.uow.edu.au/
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 17:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\scardsvr.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\mnmsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
.
**************************************************************************
.
Completion time: 2009-05-14 17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 07:17

Pre-Run: 11,933,409,280 bytes free
Post-Run: 14,809,178,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

260 --- E O F --- 2009-05-13 11:29
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello Robert.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Registry Mechanic
Uniblue RegistryBooster
We do not recommend the use of registry cleaners. Our colleague miekiemoes has an excellent writeup here

We suggest uninstalling them via Add or Remove Programs in your Control Panel.

------------------------------------------------------

I see you have XoftSpySE installed on your system. This application was previously listed as a rogue program because of false positives and deceptive advertising. Please read here

Although no longer listed as such, we recommend uninstalling it and downloading antispyware programs that have proven themselves tried and true. See here for a list of trustworthy antispyware products.

If you decide to uninstall it, also delete the following Folder if it still exists:

C:\Program Files\XoftSpySE

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the quotebox below into Notepad:

type "C:\boot.ini">look.txt
notepad look.txt
del peek.bat
Save this as peek.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:


Double-click on peek.bat and allow it to run. A Notepad file will open. Post the contents of that file in your next reply.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
http://www.techsupportforum.com/f284/nepalloid-375682.html#post2135507

Collect::
c:\windows\system32\clauth2.dll
c:\windows\system32\clauth1.dll
c:\windows\system32\nepalloid.bat
c:\windows\system32\nepalloid.vbe

SecCenter::
{5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

Folder::
c:\documents and settings\barrett\.housecall6.6\quarantine
c:\program files\CA

DDS::
uInternet Connection Wizard,ShellNext = iexplore

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b1dd2af-9cdc-11dd-9040-00095bb2a3b1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dd06bd6-35b4-11dc-8fc4-0002e3322bb5}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]

Driver::
CardPro
CardProUSB
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If you do not get a message box, please do the following:

There should be a file named [4][email protected] with today's date, located here:

C:\QooBox\Quarantine\[4][email protected]

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------
 

·
Premium Member
Joined
·
29,790 Posts
Still with us on this thread? You've since created another.
 

·
Premium Member
Joined
·
29,790 Posts
I need to see the two logs I requested, look.txt and ComboFix.txt, above in post #4.
 

·
Premium Member
Joined
·
29,790 Posts
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top