New Malware.j - jabuck help!!!!

Computing.Net > Forums > Security and Virus > New Malware.j - jabuck help!!!!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

New Malware.j - jabuck help!!!!

Name: jojee
Date: August 14, 2008 at 04:33:52 Pacific
OS: Windows XP Pro SP2
CPU/Ram: P4 1.7GHz/512MB

Comment:

I was trying to post a reply to a thread I started related to my problem, but it says I cannot post a reply to the thread because it's too old now. Here's the link to the thread:
http://www.computing.net/answers/se...
Now since I can't even alert 'jabuck', the guy who was helping me out, I have to start a new thread regarding my problem - the link to which is given above.

Sponsored Link

Ads by Google

Response Number 1

Name: mavis007
Date: August 14, 2008 at 07:16:40 Pacific

Reply:

... have you tried this?:
http://www.malwarebytes.org/mbam.php
... download and install, run
Grrrr
"...pentathol makes you sing like a canary"
... got brain freeze

Response Number 2

Name: jojee
Date: August 14, 2008 at 08:01:37 Pacific

Reply:

I ran combofix as instructed by 'jabuck' the last time I had this problem. I've stopped getting "New Malware.j" messages for now, but there are still some problems to deal with. My computer is running very slow and one more REALLY ANNOYING problem I haven't been able to get rid of is:
whenever I close an explorer window e.g. My Computer or My Documents, all my desktop icons and taskbar disappear for a couple of seconds. But it doesn't happen when i have multiple windows open and I close them - means it only happens when I open just one explorer window and then close it.
Is there a virus which could've caused this? I've stopped getting the malware alerts by my antivirus after running combofix, so do you still want me to run the software you suggested?
And is there any way to alert 'jabuck' as he was dealing with my problem?

Response Number 3

Name: jabuck
Date: August 14, 2008 at 15:43:02 Pacific

Reply:

Your post must have been a while back.
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 4

Name: jojee
Date: August 15, 2008 at 02:28:35 Pacific

Reply:

Nice to see you again bro. Now I'm pretty positive my problem will be solved :)
Here's the log
--------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:33 PM, on 15-Aug-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
d:\Program Files\Invisible Browsing\servers\IBService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
d:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
d:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
d:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hassaan\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.142.156.49:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - F:\Program Files\NetConceal\Anonymity Shield\ProxyNew.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.c...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBService - Unknown owner - d:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7783 bytes

Response Number 5

Name: jabuck
Date: August 15, 2008 at 14:27:06 Pacific

Reply:

Run Hijack This, close all browsers and windows except Hijack This, place a check to the left of the following items and press "fix checked":
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
Next, navigate to and delete these files:
C:\Program Files\DAP\dapextie2.htm
C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
Then, delete this folder:
C:\Program Files\DAP
Your java is out of date and has been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 7 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
Be sure to to follow the directions in item 6. when the scan finishes.
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

soundmax audio console i586 del command switches attrib r a s h lantastic 7 download gnome taskbar disappeared swf firefox plugin language bar missing ntbackup log empty dplaysvr.exe	inetinfo exe iis taskbar disappeared msnbc august 17th 2008 privacy report icon directsound capture c++ vidc.iv32 os key finder uninstall avg free antivirus kaspersky av scanner currently installed programs list empty
See More

Response Number 6

Name: jojee
Date: August 16, 2008 at 03:58:19 Pacific

Reply:

you said
"Next, navigate to and delete these files:
C:\Program Files\DAP\dapextie2.htm
C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
Then, delete this folder:
C:\Program Files\DAP"
Download Accelerator Plus is installed on my system. So do I uninstall it or just delete its folder from 'Program Files'?

Response Number 7

Name: jabuck
Date: August 16, 2008 at 04:47:53 Pacific

Reply:

Uninstall it, it is a rogue program. And delete any files/folders you find.

Response Number 8

Name: jojee
Date: August 25, 2008 at 09:20:30 Pacific

Reply:

Sorry for replying late bro. I had actually installed JDK instead of JRE, so I've removed it now and installed JRE. Does it make any difference by the way?
Here's the log produced by MBAM:
------------
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2
8:58:31 PM 25-Aug-08
mbam-log-08-25-2008 (20-58-31).txt
Scan type: Quick Scan
Objects scanned: 52937
Time elapsed: 19 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> Delete on reboot.

Response Number 9

Name: jabuck
Date: August 25, 2008 at 18:56:42 Pacific

Reply:

Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
To run Combofix go offline, shut down your McAfee antivirus, run Combofix, restart the computer to get McAfee up and running again, get online and post the Combofix log please.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 10

Name: jojee
Date: August 26, 2008 at 02:33:27 Pacific

Reply:

ComboFix 08-08-24.03 - Hassaan 2008-08-26 12:28:56.8 - NTFSx86
Running from: C:\Documents and Settings\Hassaan\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.
2008-08-25 20:05 . 2008-08-25 20:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-25 20:05 . 2008-08-25 20:05 <DIR> d-------- C:\Documents and Settings\Hassaan\Application Data\Malwarebytes
2008-08-25 20:05 . 2008-08-25 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 20:05 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-25 20:05 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 00:54 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-25 00:51 . 2008-08-25 00:54 <DIR> d-------- C:\Program Files\Java
2008-08-25 00:51 . 2008-08-25 00:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-20 18:38 . 2008-08-20 18:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-20 18:38 . 2008-08-20 18:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-19 23:23 . 2008-08-19 23:23 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-17 03:02 . 2008-08-25 20:09 <DIR> d-------- C:\Program Files\Ontrack
2008-08-14 11:23 . 2008-08-14 11:23 <DIR> d-------- C:\log
2008-08-08 16:07 . 2008-08-08 16:07 286,720 --------- C:\WINDOWS\Setup1.exe
2008-08-08 16:07 . 2008-08-08 16:07 73,216 --a------ C:\WINDOWS\ST6UNST.exe
2008-08-07 19:53 . 2008-08-07 20:03 <DIR> d-------- C:\Documents and Settings\Hassaan\.netvis
2008-08-07 19:50 . 2008-08-07 19:50 <DIR> d-------- C:\Program Files\RouterSim
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 10:52 --------- d-----w C:\Program Files\VideoMate
2008-08-18 21:54 --------- d-----w C:\Documents and Settings\Hassaan\Application Data\dvdcss
2008-08-16 22:02 49,152 ----a-w C:\WINDOWS\uninstal.exe
2008-08-12 13:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 11:30 19,016 ----a-w C:\Documents and Settings\Hassaan\Application Data\GDIPFONTCACHEV1.DAT
2008-08-08 10:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-27 12:03 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-27 12:03 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-22 20:00 19,064 ----a-w C:\Documents and Settings\aaa.NONAME\Application Data\GDIPFONTCACHEV1.DAT
2007-07-08 08:24 2,643,424 ----a-w C:\Program Files\Age2upA.exe
2007-04-21 03:52 17,152 ----a-w C:\Documents and Settings\bbb\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-07 05:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 05:07 114688]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 17:02 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"F:\\Age Of Empire-II\\Empires2.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"F:\\Lime\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
R2 IBService;IBService;d:\Program Files\Invisible Browsing\servers\IBService.exe [2007-01-09 14:38]
S1 CXAVSAUD;Compro VideoMate X series Audio Capture;C:\WINDOWS\system32\DRIVERS\cxavsaud.sys [2006-03-22 15:07]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;C:\WINDOWS\system32\DRIVERS\WebSTAR.sys [2001-12-17 16:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b86b350-e567-11db-b99e-00407b7973d5}]
\Shell\AutoRun\command - K:\m88coaim.exe
\Shell\explore\Command - K:\m88coaim.exe
\Shell\open\Command - K:\m88coaim.exe
*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Hassaan\Application Data\Mozilla\Firefox\Profiles\xmrnlfiq.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 12:32:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-26 12:38:08
ComboFix-quarantined-files.txt 2008-08-26 07:37:31
ComboFix2.txt 2008-08-14 10:18:20
Pre-Run: 3,006,251,008 bytes free
Post-Run: 3,028,811,776 bytes free
112 --- E O F --- 2008-08-15 05:09:00

Response Number 11

Name: jojee
Date: August 26, 2008 at 09:38:52 Pacific

Reply:

Should I alert you every time I post a response?

Response Number 12

Name: jabuck
Date: August 26, 2008 at 15:55:03 Pacific

Reply:

I look for post for about two days, any longer than that you should alert me.
Copy the text below between the X's into notepad, making sure the first line is at the top off the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
attrib -r -a -s -h *.* /s /d
del /a /f K:\m88coaim.exe
del /a /f K:\autorun.inf
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Once copied into notepad click file> save> in the save in box select desktop then in the file name box type joe.bat then click save. You should now have a joe.bat file on you desktop. If not let me know. Double click the joe.bat file, it will run in about a second.
Now, open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b86b350-e567-11db-b99e-00407b7973d5}]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Response Number 13

Name: jojee
Date: August 27, 2008 at 16:02:22 Pacific

Reply:

Here's the log produced by ComboFix
----------------
ComboFix 08-08-24.03 - Hassaan 2008-08-27 16:41:49.9 - NTFSx86
Running from: C:\Documents and Settings\Hassaan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hassaan\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.
2008-08-25 20:05 . 2008-08-25 20:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-25 20:05 . 2008-08-25 20:05 <DIR> d-------- C:\Documents and Settings\Hassaan\Application Data\Malwarebytes
2008-08-25 20:05 . 2008-08-25 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 20:05 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-25 20:05 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 00:54 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-25 00:51 . 2008-08-25 00:54 <DIR> d-------- C:\Program Files\Java
2008-08-25 00:51 . 2008-08-25 00:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-20 18:38 . 2008-08-27 01:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-20 18:38 . 2008-08-20 18:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-19 23:23 . 2008-08-19 23:23 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-17 03:02 . 2008-08-25 20:09 <DIR> d-------- C:\Program Files\Ontrack
2008-08-14 11:23 . 2008-08-14 11:23 <DIR> d-------- C:\log
2008-08-08 16:07 . 2008-08-08 16:07 286,720 --------- C:\WINDOWS\Setup1.exe
2008-08-08 16:07 . 2008-08-08 16:07 73,216 --a------ C:\WINDOWS\ST6UNST.exe
2008-08-07 19:53 . 2008-08-07 20:03 <DIR> d-------- C:\Documents and Settings\Hassaan\.netvis
2008-08-07 19:50 . 2008-08-07 19:50 <DIR> d-------- C:\Program Files\RouterSim
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 10:52 --------- d-----w C:\Program Files\VideoMate
2008-08-18 21:54 --------- d-----w C:\Documents and Settings\Hassaan\Application Data\dvdcss
2008-08-16 22:02 49,152 ----a-w C:\WINDOWS\uninstal.exe
2008-08-12 13:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 11:30 19,016 ----a-w C:\Documents and Settings\Hassaan\Application Data\GDIPFONTCACHEV1.DAT
2008-08-08 10:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-27 12:03 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-27 12:03 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-22 20:00 19,064 ----a-w C:\Documents and Settings\aaa.NONAME\Application Data\GDIPFONTCACHEV1.DAT
2007-07-08 08:24 2,643,424 ----a-w C:\Program Files\Age2upA.exe
2007-04-21 03:52 17,152 ----a-w C:\Documents and Settings\bbb\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-08-26_12.35.00.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-26 07:08:51 223,830 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-27 10:52:28 223,826 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-07 05:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 05:07 114688]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 17:02 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"F:\\Age Of Empire-II\\Empires2.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"F:\\Lime\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
R2 IBService;IBService;d:\Program Files\Invisible Browsing\servers\IBService.exe [2007-01-09 14:38]
R3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;C:\WINDOWS\system32\DRIVERS\WebSTAR.sys [2001-12-17 16:25]
S1 CXAVSAUD;Compro VideoMate X series Audio Capture;C:\WINDOWS\system32\DRIVERS\cxavsaud.sys [2006-03-22 15:07]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 16:46:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-27 16:51:20
ComboFix-quarantined-files.txt 2008-08-27 11:50:14
ComboFix2.txt 2008-08-26 07:38:21
ComboFix3.txt 2008-08-14 10:18:20
Pre-Run: 2,957,484,032 bytes free
Post-Run: 2,951,053,312 bytes free
109 --- E O F --- 2008-08-15 05:09:00

Response Number 14

Name: jojee
Date: August 27, 2008 at 17:03:32 Pacific

Reply:

Now here's the Kaspersky log:
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 27, 2008 18:20:32
Records in database: 1151835
----------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Files scanned: 144763
Threat name: 5
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 05:04:16

File name / Threat name / Threats count
D:\autorun.inf Infected: Virus.Win32.AutoRun.abt 1
D:\smss.exe Infected: Worm.Win32.AutoRun.ek 1
D:\ntde1ect.com Infected: Packed.Win32.NSAnti.r 1
D:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003159.inf Infected: Virus.Win32.AutoRun.abt 1
D:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003181.inf Infected: Virus.Win32.AutoRun.abt 1
D:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003193.com Infected: Packed.Win32.NSAnti.r 1
D:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0003216.com Infected: Packed.Win32.NSAnti.r 1
D:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0004192.inf Infected: Virus.Win32.AutoRun.abt 1
D:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0004209.com Infected: Packed.Win32.NSAnti.r 1
E:\ntde1ect.com Infected: Packed.Win32.NSAnti.r 1
E:\smss.exe Infected: Worm.Win32.AutoRun.ek 1
E:\autorun.inf Infected: Virus.Win32.AutoRun.abt 1
E:\System Volume Information\_restore{D81FC5BC-2D78-4CBC-95D4-1E5F785997EC}\RP91\A0057837.exe Infected: not-a-virus:AdWare.Win32.EZula.bh 1
E:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003182.inf Infected: Virus.Win32.AutoRun.abt 1
E:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003194.com Infected: Packed.Win32.NSAnti.r 1
E:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0003217.com Infected: Packed.Win32.NSAnti.r 1
E:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0004193.inf Infected: Virus.Win32.AutoRun.abt 1
E:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0004210.com Infected: Packed.Win32.NSAnti.r 1
F:\yehai\My Received Files\key finder\kf141.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2
F:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003183.inf Infected: Virus.Win32.AutoRun.abt 1
F:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003195.com Infected: Packed.Win32.NSAnti.r 1
F:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0003218.com Infected: Packed.Win32.NSAnti.r 1
F:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0004195.inf Infected: Virus.Win32.AutoRun.abt 1
F:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP7\A0004211.com Infected: Packed.Win32.NSAnti.r 1
F:\autorun.inf Infected: Virus.Win32.AutoRun.abt 1
F:\smss.exe Infected: Worm.Win32.AutoRun.ek 1
F:\ntde1ect.com Infected: Packed.Win32.NSAnti.r 1
The selected area was scanned.

Response Number 15

Name: jabuck
Date: August 27, 2008 at 20:47:55 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
D:\autorun.inf
D:\smss.exe
D:\ntde1ect.com
E:\ntde1ect.com
E:\smss.exe
E:\autorun.inf
F:\autorun.inf
F:\smss.exe
F:\ntde1ect.com
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.
Empty the restore folder. Go to start>control panel>system>system restore tab> select the D, E, and F drives> check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Run the Kaspersky scan again, you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component.

Response Number 16

Name: jojee
Date: August 28, 2008 at 06:20:14 Pacific

Reply:

ComboFix log
------------
ComboFix 08-08-24.03 - Hassaan 2008-08-28 17:56:07.10 - NTFSx86
Running from: C:\Documents and Settings\Hassaan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hassaan\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
D:\autorun.inf
D:\ntde1ect.com
D:\smss.exe
E:\autorun.inf
E:\ntde1ect.com
E:\smss.exe
F:\autorun.inf
F:\ntde1ect.com
F:\smss.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\autorun.inf
D:\ntde1ect.com
D:\smss.exe
E:\autorun.inf
E:\ntde1ect.com
E:\smss.exe
F:\autorun.inf
F:\ntde1ect.com
F:\smss.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.
2008-08-25 20:05 . 2008-08-25 20:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-25 20:05 . 2008-08-25 20:05 <DIR> d-------- C:\Documents and Settings\Hassaan\Application Data\Malwarebytes
2008-08-25 20:05 . 2008-08-25 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-25 20:05 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-25 20:05 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 00:54 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-25 00:51 . 2008-08-25 00:54 <DIR> d-------- C:\Program Files\Java
2008-08-25 00:51 . 2008-08-25 00:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-20 18:38 . 2008-08-27 01:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-20 18:38 . 2008-08-20 18:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-19 23:23 . 2008-08-19 23:23 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-17 03:02 . 2008-08-25 20:09 <DIR> d-------- C:\Program Files\Ontrack
2008-08-14 11:23 . 2008-08-14 11:23 <DIR> d-------- C:\log
2008-08-08 16:07 . 2008-08-08 16:07 286,720 --------- C:\WINDOWS\Setup1.exe
2008-08-08 16:07 . 2008-08-08 16:07 73,216 --a------ C:\WINDOWS\ST6UNST.exe
2008-08-07 19:53 . 2008-08-07 20:03 <DIR> d-------- C:\Documents and Settings\Hassaan\.netvis
2008-08-07 19:50 . 2008-08-07 19:50 <DIR> d-------- C:\Program Files\RouterSim
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 10:52 --------- d-----w C:\Program Files\VideoMate
2008-08-18 21:54 --------- d-----w C:\Documents and Settings\Hassaan\Application Data\dvdcss
2008-08-16 22:02 49,152 ----a-w C:\WINDOWS\uninstal.exe
2008-08-12 13:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-09 11:30 19,016 ----a-w C:\Documents and Settings\Hassaan\Application Data\GDIPFONTCACHEV1.DAT
2008-08-08 10:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-02-22 20:00 19,064 ----a-w C:\Documents and Settings\aaa.NONAME\Application Data\GDIPFONTCACHEV1.DAT
2007-07-08 08:24 2,643,424 ----a-w C:\Program Files\Age2upA.exe
2007-04-21 03:52 17,152 ----a-w C:\Documents and Settings\bbb\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-08-26_12.35.00.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-26 07:08:51 223,830 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-28 14:04:04 223,833 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-07 05:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 05:07 114688]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 17:02 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"F:\\Age Of Empire-II\\Empires2.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"F:\\Lime\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
R2 IBService;IBService;d:\Program Files\Invisible Browsing\servers\IBService.exe [2007-01-09 14:38]
R3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;C:\WINDOWS\system32\DRIVERS\WebSTAR.sys [2001-12-17 16:25]
S1 CXAVSAUD;Compro VideoMate X series Audio Capture;C:\WINDOWS\system32\DRIVERS\cxavsaud.sys [2006-03-22 15:07]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 19:04:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\SETUPAPI.dll
.
r Running Proce
.
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\Crypserv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
D:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
D:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-08-28 19:16:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 14:16:28
ComboFix2.txt 2008-08-27 11:51:21
ComboFix3.txt 2008-08-26 07:38:21
ComboFix4.txt 2008-08-14 10:18:20
Pre-Run: 2,970,697,728 bytes free
Post-Run: 3,014,397,952 bytes free
148 --- E O F --- 2008-08-15 05:09:00

Response Number 17

Name: jojee
Date: August 28, 2008 at 11:32:18 Pacific

Reply:

I tried to empty the system restore folders on d,e and f the way you told me to, but it didn't work. They are still the same size. Do I delete them manually?

Response Number 18

Name: jabuck
Date: August 28, 2008 at 16:44:04 Pacific

Reply:

The size would be the same after you turned system restore back on as it is a provided space not dependant on file size or amount of files. They should be clean if you selected each drive and followed the procedure. If you do not think they were cleaned purge each drive independantly.

Response Number 19

Name: jojee
Date: August 29, 2008 at 03:12:04 Pacific

Reply:

I didn't get it; the 'System Volume Information' folders on each drive contain subfolders, which are the restore points which I can switch back to in case something goes wrong or I want to get back to the settings I had.. let's say a week ago, right? When I checked 'Turn off System Restore on all drives', all the subfolders in each 'System Volume Information' folder on each drive should've been deleted, right? Correct me if I'm wrong. Emptying the 'Restore Folders' means that they shouldn't contain anything i.e. their size should be 0, just like the 'System Volume Information' folder on my C: drive. My confusion is that when i checked 'Turn off System Restore on all drives', why only the folder on C: was emptied? The folder on D: is around 350MB, the ones on E: and F: are around 650MB each - WASTAGE of so much space, isn't it?
It was really annoying me, so I've deleted all the subfolders manually and freed a lot of space on my drives.
I hope I haven't done anything that'll have detrimental consequences.

Response Number 20

Name: jabuck
Date: August 29, 2008 at 04:50:38 Pacific

Reply:

I don't believe you hurt anything as they will probably be rebuilt. Are drive D, E and F actually hard drives or are they jump drives. It they were jump/pen drives they probably contained viri anyway and is doesn't make any differance if they were deleted. I they are hard drives windows will rebuild them if you did not adjust the provide space to less than needed to copy the info on the drives i believe.
How is the computer operating?

Response Number 21

Name: jojee
Date: August 29, 2008 at 05:09:05 Pacific

Reply:

The computer is operating fine. C,D,E,F are 4 partitions(10GB each) on my hard drive of 40GB. All I did was go to 'System Volume Information' folder on each drive(excluding C) and delete all the subfolders without adjusting anything like the provide space or whatever. I did this after checking 'Turn off System Restore on all drives' and it's still off. Should I turn it back on before running Kaspersky?

Response Number 22

Name: jabuck
Date: August 29, 2008 at 15:14:10 Pacific

Reply:

Yes turn it back on, it is easy to empty it again and difficult (actually just time consuming) to reinstall your system.

Response Number 23

Name: jojee
Date: September 1, 2008 at 21:25:58 Pacific

Reply:

If you want to get an idea of how slow my computer is, just look at the duration of this scan; it took more than 6 and a 1/2 HOURS to complete in spite of the fact that I emptied all the restore folders. Is there anything on earth I can do to speed up this absolutely crap computer of mine? It's making me pull my hair out!
Here's the log
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 01, 2008 20:57:20
Records in database: 1175380
----------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Files scanned: 142750
Threat name: 4
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 06:35:11

File name / Threat name / Threats count
D:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003159.inf Infected: Virus.Win32.AutoRun.abt 1
D:\Qoobox\Quarantine\D\autorun.inf.vir Infected: Virus.Win32.AutoRun.abt 1
D:\Qoobox\Quarantine\D\ntde1ect.com.vir Infected: Packed.Win32.NSAnti.r 1
D:\Qoobox\Quarantine\D\smss.exe.vir Infected: Worm.Win32.AutoRun.ek 1
E:\Qoobox\Quarantine\E\autorun.inf.vir Infected: Virus.Win32.AutoRun.abt 1
E:\Qoobox\Quarantine\E\ntde1ect.com.vir Infected: Packed.Win32.NSAnti.r 1
E:\Qoobox\Quarantine\E\smss.exe.vir Infected: Worm.Win32.AutoRun.ek 1
F:\yehai\My Received Files\key finder\kf141.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2
F:\Qoobox\Quarantine\F\autorun.inf.vir Infected: Virus.Win32.AutoRun.abt 1
F:\Qoobox\Quarantine\F\ntde1ect.com.vir Infected: Packed.Win32.NSAnti.r 1
F:\Qoobox\Quarantine\F\smss.exe.vir Infected: Worm.Win32.AutoRun.ek 1
The selected area was scanned.

Response Number 24

Name: jabuck
Date: September 2, 2008 at 16:43:19 Pacific

Reply:

I don't see anything.
Empty the restore "D:" drive folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Go to start> run> type in combofix /u (note the space after combofix) the press enter. Give it a minute. This will uninstall Combofix.
Go to start> control panel> add/remove programs and uninstall Hijack This, you should keep Malwarebytes and AFT Cleaner and run them weekly.

Response Number 25

Name: jojee
Date: September 2, 2008 at 17:36:15 Pacific

Reply:

What about these:
File name / Threat name / Threats count
D:\System Volume Information\_restore{9E1B1E53-404E-4EEC-A9B9-03550CE3400A}\RP6\A0003159.inf Infected: Virus.Win32.AutoRun.abt 1
D:\Qoobox\Quarantine\D\autorun.inf.vir Infected: Virus.Win32.AutoRun.abt 1
D:\Qoobox\Quarantine\D\ntde1ect.com.vir Infected: Packed.Win32.NSAnti.r 1
D:\Qoobox\Quarantine\D\smss.exe.vir Infected: Worm.Win32.AutoRun.ek 1
E:\Qoobox\Quarantine\E\autorun.inf.vir Infected: Virus.Win32.AutoRun.abt 1
E:\Qoobox\Quarantine\E\ntde1ect.com.vir Infected: Packed.Win32.NSAnti.r 1
E:\Qoobox\Quarantine\E\smss.exe.vir Infected: Worm.Win32.AutoRun.ek 1
F:\yehai\My Received Files\key finder\kf141.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2
F:\Qoobox\Quarantine\F\autorun.inf.vir Infected: Virus.Win32.AutoRun.abt 1
F:\Qoobox\Quarantine\F\ntde1ect.com.vir Infected: Packed.Win32.NSAnti.r 1
F:\Qoobox\Quarantine\F\smss.exe.vir Infected: Worm.Win32.AutoRun.ek 1
Some more things I need to ask you bro:
- I have McAfee SecurityCenter installed on my system which I think is one of the reasons my computer is really slow. Do you think I should stick with this antivirus or you would suggest some other antivirus?
- My internet connection sometimes shows 'Limited or no connectivity message'. I called my ISP to inquire about the problem and I was told that I should always keep my windows firewall off as it is of no use. I kept it off for a few days and didn't get the limited connectivity message, but now I've turned it back on and still my internet connection is working fine. What do you suggest on this -- is it safe to turn the firewall off?
- When I click on 'Add or Remove Programs', the 'Currently installed programs' list shows me 'Ask Toolbar' which I had deleted from the program files. When I click on 'Remove', it says:
"Error loading C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll
The specified module could not be found."
What do I do to remove it?

Response Number 26

Name: jabuck
Date: September 4, 2008 at 17:47:13 Pacific

Reply:

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Go to start> run> type in Combofix /u (note the space after combofix) then press enter. Give it a minute to run. This should uninstall combofix along with the C:\Qoobox folder. Navigate to C:\ and delete the Qoobox folder if it still exist.
You can delete this if you did not install the keyfinder:
F:\yehai\My Received Files\key finder\kf141.zip
If you did not install it delete the "key finder" folder.
I would unistall McAfee if I didn't have any money invested in it. I use the free version of AVG, you can download it at this link:
AVG Free Antivirus
Update it once you get it installed.
You need to run the firewall.
For connectivity go start > run type cmd and press enter or ok.
type
ipconfig /flushdns <-- (The space between g and / is needed)
Then press Enter, type Exit, press Enter again
If you have a ASDL modem or a router Power both of them down for 30 secs.
Plug them back and reconnect.
That sometimes helps.
Navigate to and delete this folder if found:
C:\Program Files\AsKSbar
...and see if that stops the error.

Response Number 27

Name: jojee
Date: September 10, 2008 at 04:01:05 Pacific

Reply:

I really appreciate all the help you've provided me to clean my computer bro. But there is one problem that still remains; the one I mentioned about in Response Number 2:
"whenever I close an explorer window e.g. My Computer or My Documents, all my desktop icons and taskbar disappear for a couple of seconds. But it doesn't happen when i have multiple windows open and I close them - means it only happens when I open just one explorer window and then close it."

Response Number 28

Name: jabuck
Date: September 13, 2008 at 07:48:29 Pacific

Reply:

Please that question on the xp section of the forum as it sounds more like a windows problem.

Response Number 29

Name: jojee
Date: September 19, 2008 at 15:52:10 Pacific

Reply:

The same viruses you helped me get rid of were transferred to my other PC through a pen drive. The viruses were causing problems like closing my taskmanager and interrupting any software installations. I ran ComboFix once and it seems to have fixed the problem, but I'm not sure that the viruses have been completely removed. What do I do next?

Response Number 30

Name: jabuck
Date: September 19, 2008 at 18:07:15 Pacific

Reply:

Start a new thread on the second computer, state only the problem. You do not need to run Combofix on your computer without following a helpers advice as some programs will cause it to hang if they are running while Combofix is running and can trash the computer.

Sponsored Link

Ads by Google

Windows cannot find C:\wi...

Browser Hijack

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: New Malware.j - jabuck help!!!!

( New Malware.J) Please Help

Summary

www.computing.net/answers/security/-new-malwarej-please-help/21264.html

help torjan new malware.j

Summary

www.computing.net/answers/security/help-torjan-new-malwarej/16921.html

new malware.j

Summary

www.computing.net/answers/security/new-malwarej/20633.html

From the Geek Dictionary
Instance - A segment of gameplay in MMORPGs in which players form a group together a...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 2 Days.
Discuss in The Lounge
Poll History

Recent Posts
wireless cards

Internet Connection

My Computer won't let me into the properties

Please can someone read my Hijackthis log?

End Program - n

All Awaiting Reply

Tom's News
New Super Mario Bros. Wii Looks Great in 1080p

Xbox Live Marketplace Getting Pets

Snoop Dogg Lends His Voice to GPS Navigation

Roomba Saves Family From Poisonous Snake

AT&T's Case Against Verizon Dismissed

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE