pos tmp files on c, red x,slow,dll

Dell PPO7L
March 3, 2008 at 06:55:25
Specs: Windows XP SP2, pentium[R]4 2.66GHz 512MB

HI,

I have had thousands of POS tmp files on my documents and c drive with a big red X on c drive.

Thanks to Jabuck's reply to one of the same query. I have been able to remove th epos file from c drive and teh red X mark.

But I have dll error when I start the machine c:\WINDOWS\System32\yjrnjuk.dll. The specified module could not be found.

2) I had a malicious script found error when comboFix was generating logs by my expired norton antivirus. So I presume my machine still has infections. Can you please analyza my combofix and hijackthis logs. Will post when I get the reply

3) When I try to shutdown the machine I get an ENDTASK for RCNTNLWB.EXE
This needs forced endtask for me to proceed.

Please help!!!!

Thanks in advance


Saiza


See More: pos tmp files on c, red x,slow,dll

Report •


#1
March 3, 2008 at 14:03:36

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download Atribune's VundoFix.exe from the following site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


Report •

#2
March 3, 2008 at 14:50:31

Thanks for your quick reply jabuck. God Bless!!!
Can you please temm me what to do about the dll error as well... and below are the logs

HijackThis Log::
=================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:43 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\System32\DrvMon.exe
C:\WINDOWS\system32\kcntnlwb.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Saleem Sheikh\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {5B4BE51A-EB15-4180-B7EC-4AA657275F2D} - C:\WINDOWS\system32\urqpo.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS\system32\ljjggff.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{E5-54-4D-D1-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BM7bcd67e2] Rundll32.exe "C:\WINDOWS\system32\yjrnjyuk.dll",s
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kcntnlwb.exe DWram
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\kcntnlwb.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads...
O20 - Winlogon Notify: ljjggff - ljjggff.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10460 bytes


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ComboFix Logs
===============

ComboFix 08-03-03.4 - Saleem Sheikh 2008-03-02 21:36:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.172 [GMT 0:00]
Running from: C:\Documents and Settings\Saleem Sheikh\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Saleem Sheikh\Application Data\PPPATC~1
C:\Documents and Settings\Saleem Sheikh\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Saleem Sheikh\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\StorageProtector
C:\Program Files\WindowsUpdate\wexucyp89104.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\creditcard.bmp
C:\WINDOWS\system32\Cache\msg.bin
C:\WINDOWS\system32\Cache\search find 2.bmp
C:\WINDOWS\system32\Cache\showbtn.bmp
C:\WINDOWS\system32\Cache\showbtn1.bmp
C:\WINDOWS\system32\Cache\showbtn12.bmp
C:\WINDOWS\system32\Cache\web app.bmp
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\SYSTEM32\ndtieceg.ini
C:\WINDOWS\SYSTEM32\opqru.ini
C:\WINDOWS\SYSTEM32\opqru.ini2
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 17:51 . 2008-03-02 20:23 <DIR> d-------- C:\VundoFix Backups
2008-03-02 15:42 . 2008-03-02 15:42 49,168 --a------ C:\WINDOWS\SYSTEM32\kmwnw64q.exe
2008-03-02 11:32 . 2008-03-02 11:33 200,769 --a------ C:\WINDOWS\SYSTEM32\ncntnlwb.exe
2008-03-02 01:50 . 2008-03-02 01:50 49,184 --a------ C:\WINDOWS\SYSTEM32\kmwnw64l.exe
2008-03-02 01:29 . 2008-03-02 01:29 200,772 --a------ C:\WINDOWS\SYSTEM32\kcntnlwb.exe
2008-03-01 23:10 . 2008-03-02 00:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\PC Tools
2008-03-01 23:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-01 23:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-01 23:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-01 23:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-01 23:07 . 2008-03-02 15:39 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-03-01 21:21 . 2008-03-02 01:31 261,896 --a------ C:\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe
2008-03-01 13:06 . 2008-03-02 11:33 22 --a------ C:\WINDOWS\pskt.ini
2008-03-01 00:55 . 2008-03-01 00:55 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUK.ico
2008-02-29 23:51 . 2008-02-29 23:51 13,942 --a------ C:\WINDOWS\SYSTEM32\N90-002.ico
2008-02-29 23:50 . 2008-02-29 23:50 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMon
2008-02-29 23:48 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-02-29 23:47 . 2008-02-29 23:47 49,176 --a------ C:\WINDOWS\SYSTEM32\knwnw64s.exe
2008-02-29 23:36 . 2008-03-02 11:01 <DIR> d--hs---- C:\WINDOWS\QUE
2008-02-29 23:36 . 2008-03-01 21:19 <DIR> d-------- C:\Program Files\RABCO
2008-02-29 23:36 . 2008-02-29 23:36 200,766 --a------ C:\WINDOWS\SYSTEM32\tcntolwb.exe
2008-02-29 23:36 . 2008-02-29 23:36 49,163 --a------ C:\WINDOWS\SYSTEM32\rwwnw64d.exe
2008-02-29 23:36 . 2008-02-29 23:36 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-29 23:35 . 2008-02-29 23:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\sx1
2008-02-29 23:35 . 2008-02-29 23:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\pz8
2008-02-29 23:35 . 2008-02-29 23:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\mb4
2008-02-29 23:35 . 2008-03-02 11:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\iDlo01
2008-02-29 23:35 . 2008-03-02 11:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\bt2
2008-02-29 23:35 . 2008-02-29 23:36 <DIR> d-------- C:\Temp\sanR24
2008-02-13 19:13 . 2008-02-29 19:36 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\NCH Swift Sound
2008-02-13 19:13 . 2008-02-13 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2008-02-13 19:12 . 2008-02-13 19:12 <DIR> d-------- C:\Program Files\NCH Software
2008-02-13 19:11 . 2008-02-29 19:36 <DIR> d-------- C:\Program Files\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 21:47 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-03 21:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-01 23:04 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-02-11 18:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-29 20:59 200 ----a-w C:\Documents and Settings\Saleem Sheikh\HiScores.dat
2008-01-22 14:40 --------- d-----w C:\Program Files\Google
2007-12-30 08:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2004-01-05 22:02 32 --sha-w C:\WINDOWS\{347B965F-4432-482C-B603-E0BABBC12087}.dat
2004-01-05 22:02 32 --sha-w C:\WINDOWS\SYSTEM32\{0369CF41-A946-46A6-9522-FBFCFC52F4DF}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4BE51A-EB15-4180-B7EC-4AA657275F2D}]
C:\WINDOWS\system32\urqpo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 02:16 53248]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 16:31 68856]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-11-21 02:11 3289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 23:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 23:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 23:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 22:15 327680]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 20:18 368640]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 07:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 16:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 17:23 204800]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11 58392]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12 290816]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-14 16:57 100056]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-23 12:01 282624]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 19:25 1003520]
"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 14:15 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-25 16:27 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"{E5-54-4D-D1-DW}"="C:\windows\system32\rwwnw64d.exe" [2008-02-29 23:36 49163]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"BM7bcd67e2"="C:\WINDOWS\system32\yjrnjyuk.dll" [ ]
"ExploreUpdSched"="C:\WINDOWS\system32\rcntnlwb.exe" [2008-03-03 21:46 200772]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjggff]
ljjggff.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

S3 ZSMC0305;SUPER 188 PC CAMERA;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-03-22 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efe54238-9b94-11dc-9ad4-000d56ad71b7}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 21:45:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\winpfz37.sys 922 bytes
C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
r Running Proce
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cscript.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-03-03 22:15:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 22:13:06
.
2008-02-15 08:14:35 --- E O F ---


=============================================

Jabuck, can you please tell me about the other 2 problems mentioned in my original message

Saiza


Report •

#3
March 3, 2008 at 15:37:44

Spyware sweeper and any other realtime protection must be turned off or the fixes may not work.

Some of the problem is a reinfection.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\SYSTEM32\kmwnw64q.exe
C:\WINDOWS\SYSTEM32\ncntnlwb.exe
C:\WINDOWS\SYSTEM32\kmwnw64l.exe
C:\WINDOWS\SYSTEM32\kcntnlwb.exe
C:\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\knwnw64s.exe
C:\WINDOWS\SYSTEM32\tcntolwb.exe
C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\{347B965F-4432-482C-B603-E0BABBC12087}.dat
C:\WINDOWS\SYSTEM32\{0369CF41-A946-46A6-9522-FBFCFC52F4DF}.dat
C:\WINDOWS\system32\urqpo.dll
C:\WINDOWS\system32\yjrnjyuk.dll
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\ljjggff.dll
C:\WINDOWS\ljjggff.dll
C:\WINDOWS\system32\urqpo.dll

Driver::
ljjggff

Folder::
C:\VundoFix Backups
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMon
C:\WINDOWS\SYSTEM32\sx1
C:\WINDOWS\SYSTEM32\pz8
C:\WINDOWS\SYSTEM32\mb4
C:\WINDOWS\SYSTEM32\iDlo01
C:\WINDOWS\SYSTEM32\bt2
C:\Temp\sanR24


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4BE51A-EB15-4180-B7EC-4AA657275F2D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{E5-54-4D-D1-DW}"=-
"BM7bcd67e2"=-
"ExploreUpdSched"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjggff]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix log.


Report •

Related Solutions

#4
March 4, 2008 at 14:55:01

Thanks a lot jabuck for your efforts. Please find below the new combofix log.

ComboFix 08-03-03.4 - Saleem Sheikh 2008-03-05 22:41:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT 0:00]
Running from: C:\Documents and Settings\Saleem Sheikh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Saleem Sheikh\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe
C:\WINDOWS\{347B965F-4432-482C-B603-E0BABBC12087}.dat
C:\WINDOWS\ljjggff.dll
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\{0369CF41-A946-46A6-9522-FBFCFC52F4DF}.dat
C:\WINDOWS\SYSTEM32\kcntnlwb.exe
C:\WINDOWS\SYSTEM32\kmwnw64l.exe
C:\WINDOWS\SYSTEM32\kmwnw64q.exe
C:\WINDOWS\SYSTEM32\knwnw64s.exe
C:\WINDOWS\system32\ljjggff.dll
C:\WINDOWS\SYSTEM32\ncntnlwb.exe
C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\WINDOWS\SYSTEM32\tcntolwb.exe
C:\WINDOWS\system32\urqpo.dll
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\yjrnjyuk.dll
C:\WINDOWS\system32\zxdnt3d.cfg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMon
C:\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe
C:\Documents and Settings\Saleem Sheikh\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Saleem Sheikh\Start Menu\Programs\Startup\DW_Start.lnk
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\dbfobxeu.dllbox.bad
C:\VundoFix Backups\odjfbfid.dll.bad
C:\VundoFix Backups\ssqnmnk.dll.bad
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\bt2
C:\WINDOWS\SYSTEM32\iDlo01
C:\WINDOWS\SYSTEM32\kcntnlwb.exe
C:\WINDOWS\SYSTEM32\kmwnw64l.exe
C:\WINDOWS\SYSTEM32\kmwnw64q.exe
C:\WINDOWS\SYSTEM32\knwnw64s.exe
C:\WINDOWS\SYSTEM32\mb4
C:\WINDOWS\SYSTEM32\mb4\renabcom4.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\SYSTEM32\ncntnlwb.exe
C:\WINDOWS\SYSTEM32\pz8
C:\WINDOWS\SYSTEM32\pz8\np89104.exe
C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\WINDOWS\SYSTEM32\sx1
C:\WINDOWS\SYSTEM32\sx1\ravecom3.exe
C:\WINDOWS\SYSTEM32\tcntolwb.exe
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-05 22:27 . 2008-03-05 22:27 49,176 --a------ C:\WINDOWS\SYSTEM32\kkwnw64m.exe
2008-03-05 22:02 . 2008-03-05 22:02 200,772 --a------ C:\WINDOWS\SYSTEM32\qcntllwb.exe
2008-03-04 11:38 . 2008-03-04 11:38 1,635 --a------ C:\WINDOWS\SYSTEM32\drbingo.ico
2008-03-03 22:47 . 2008-03-03 22:47 49,175 --a------ C:\WINDOWS\SYSTEM32\kmwnw64o.exe
2008-03-03 21:46 . 2008-03-03 21:46 200,772 --a------ C:\WINDOWS\SYSTEM32\rcntnlwb.exe
2008-03-01 23:10 . 2008-03-05 16:21 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\PC Tools
2008-03-01 23:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-01 23:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-01 23:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-01 23:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-01 00:55 . 2008-03-01 00:55 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUK.ico
2008-02-29 23:51 . 2008-02-29 23:51 13,942 --a------ C:\WINDOWS\SYSTEM32\N90-002.ico
2008-02-29 23:48 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-02-29 23:36 . 2008-03-02 11:01 <DIR> d--hs---- C:\WINDOWS\QUE
2008-02-29 23:36 . 2008-03-01 21:19 <DIR> d-------- C:\Program Files\RABCO
2008-02-13 19:13 . 2008-02-29 19:36 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\NCH Swift Sound
2008-02-13 19:13 . 2008-02-13 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2008-02-13 19:12 . 2008-02-13 19:12 <DIR> d-------- C:\Program Files\NCH Software
2008-02-13 19:11 . 2008-02-29 19:36 <DIR> d-------- C:\Program Files\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 22:45 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-05 22:30 --------- d-----w C:\Program Files\Symantec
2008-03-05 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-05 22:23 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-03-05 22:18 --------- d-----w C:\Documents and Settings\Saleem Sheikh\Application Data\Lavasoft
2008-03-04 22:55 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-02-11 18:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-29 20:59 200 ----a-w C:\Documents and Settings\Saleem Sheikh\HiScores.dat
2008-01-22 14:40 --------- d-----w C:\Program Files\Google
2007-12-30 08:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-25 16:28 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-25 16:28 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 02:16 53248]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 16:31 68856]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-11-21 02:11 3289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 23:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 23:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 23:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 22:15 327680]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 20:18 368640]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 07:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 16:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 17:23 204800]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12 290816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-23 12:01 282624]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 19:25 1003520]
"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 14:15 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-25 16:27 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-10 16:31:09 124912]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-02-26 13:10:33 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

S3 ZSMC0305;SUPER 188 PC CAMERA;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-03-22 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efe54238-9b94-11dc-9ad4-000d56ad71b7}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 22:45:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 22:47:43
ComboFix-quarantined-files.txt 2008-03-05 22:46:44
ComboFix2.txt 2008-03-03 22:15:57
.
2008-02-15 08:14:35 --- E O F ---

If you can please also let me know what to do about the rundll error that I get when I start the system.

Thanks in advance

Saiza


Report •

#5
March 4, 2008 at 16:09:32

Most likely there are still some files needing to be deleted that try to run on the computer but do not have enough support from the malware causing the rundll error.

Download SDFix to your desktop from the following link:

SDFix.exe.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.


Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.


Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.


Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt.

Post a new Hijack This log please.


Report •

#6
March 5, 2008 at 08:50:37


Hi,

Report.txt Log
===============


[b]SDFix: Version 1.153 [/b]

Run by Saleem Sheikh on Thu 03/06/2008 at 04:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe - Deleted

Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 16:23:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sun 3 Apr 2005 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sun 3 Apr 2005 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Mon 24 Sep 2007 97,280 ...H. --- "C:\Documents and Settings\Saleem Sheikh\Desktop\~WRL0002.tmp"
Sun 13 Jan 2008 98,304 ...H. --- "C:\Documents and Settings\Saleem Sheikh\Desktop\~WRL2641.tmp"
Fri 29 Feb 2008 41,723 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197780.exe"
Tue 15 Jan 2008 140,800 A.SH. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197781.exe"
Wed 25 Feb 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Wed 25 Feb 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Saleem Sheikh\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Saleem Sheikh\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Saleem Sheikh\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Fri 27 Apr 2007 8 A..H. --- "C:\Documents and Settings\Saleem Sheikh\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

[b]Finished![/b]


====================================================================================================================================

HijackThis Log:
---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:57 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Documents and Settings\Saleem Sheikh\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads...
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8011 bytes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Red X on my C Drive has appeared once again :(

Thanks in advance. You are very very helpful !!!

Saiza


Report •

#7
March 6, 2008 at 03:33:33

Sorry for the delay.

Post a new Combofix log please.


Report •

#8
March 6, 2008 at 15:11:02

Hi jabuck...

Please find below the fresh logs for Combofix

ComboFix 08-03-03.4 - Saleem Sheikh 2008-03-07 22:57:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.246 [GMT 0:00]
Running from: C:\Documents and Settings\Saleem Sheikh\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-06 16:08 . 2008-03-06 16:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-06 16:02 . 2008-03-06 16:31 <DIR> d-------- C:\SDFix
2008-03-05 22:27 . 2008-03-05 22:27 49,176 --a------ C:\WINDOWS\SYSTEM32\kkwnw64m.exe
2008-03-05 22:02 . 2008-03-05 22:02 200,772 --a------ C:\WINDOWS\SYSTEM32\qcntllwb.exe
2008-03-04 11:38 . 2008-03-04 11:38 1,635 --a------ C:\WINDOWS\SYSTEM32\drbingo.ico
2008-03-03 22:47 . 2008-03-03 22:47 49,175 --a------ C:\WINDOWS\SYSTEM32\kmwnw64o.exe
2008-03-03 21:46 . 2008-03-03 21:46 200,772 --a------ C:\WINDOWS\SYSTEM32\rcntnlwb.exe
2008-03-01 23:10 . 2008-03-07 11:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\PC Tools
2008-03-01 23:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-01 23:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-01 23:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-01 23:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-01 00:55 . 2008-03-01 00:55 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUK.ico
2008-02-29 23:51 . 2008-02-29 23:51 13,942 --a------ C:\WINDOWS\SYSTEM32\N90-002.ico
2008-02-29 23:48 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-02-29 23:36 . 2008-03-02 11:01 <DIR> d--hs---- C:\WINDOWS\QUE
2008-02-29 23:36 . 2008-03-01 21:19 <DIR> d-------- C:\Program Files\RABCO
2008-02-13 19:13 . 2008-02-29 19:36 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\NCH Swift Sound
2008-02-13 19:13 . 2008-02-13 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2008-02-13 19:12 . 2008-02-13 19:12 <DIR> d-------- C:\Program Files\NCH Software
2008-02-13 19:11 . 2008-02-29 19:36 <DIR> d-------- C:\Program Files\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:00 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-07 16:26 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-03-05 22:30 --------- d-----w C:\Program Files\Symantec
2008-03-05 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-05 22:23 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-03-05 22:18 --------- d-----w C:\Documents and Settings\Saleem Sheikh\Application Data\Lavasoft
2008-02-11 18:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-29 20:59 200 ----a-w C:\Documents and Settings\Saleem Sheikh\HiScores.dat
2008-01-22 14:40 --------- d-----w C:\Program Files\Google
2007-12-30 08:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-25 16:28 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-25 16:28 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 02:16 53248]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 16:31 68856]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-11-21 02:11 3289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 23:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 23:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 23:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 22:15 327680]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 20:18 368640]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 07:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 16:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 17:23 204800]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12 290816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-23 12:01 282624]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 19:25 1003520]
"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 14:15 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-25 16:27 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-10 16:31:09 124912]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-02-26 13:10:33 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R3 ZSMC0305;SUPER 188 PC CAMERA;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-03-22 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efe54238-9b94-11dc-9ad4-000d56ad71b7}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 23:01:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-07 23:03:05
ComboFix-quarantined-files.txt 2008-03-07 23:02:12
ComboFix2.txt 2008-03-05 22:47:44
ComboFix3.txt 2008-03-03 22:15:57
.
2008-02-15 08:14:35 --- E O F ---


Can you please let me know why CCleaner and Kaspersky Online Scanner is being suggested in other related queries.

Saiza


Report •

#9
March 6, 2008 at 16:58:35

We normally remove all visable signs of malware before running those two tools.

Make sure you have Spyware Sweeper disabled.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\SYSTEM32\kkwnw64m.exe
C:\WINDOWS\SYSTEM32\qcntllwb.exe
C:\WINDOWS\SYSTEM32\drbingo.ico
C:\WINDOWS\SYSTEM32\kmwnw64o.exe
C:\WINDOWS\SYSTEM32\rcntnlwb.exe

Folder::
C:\Program Files\RABCO

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

You certainly have a baddie, but unfortunately you posted a Hijack This log without being requested to (against forum rules) so this post will get deleted by the moderator.

Once it is deleted post again and stae onlt the problem, no logs please.

Download CCleaner from the following link:

http://filehippo.com/download_ccleaner/

After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Post a new Combofix log and Hijack This log please..


Report •

#10
March 7, 2008 at 18:13:27

Sorry, I did not realise that I posted the logs without request.

Kapersky Log:
=============
---------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 1:57:52 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/03/2008
Kaspersky Anti-Virus database records: 611526
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 64391
Number of viruses found: 21
Number of infected objects: 71
Number of suspicious objects: 0
Duration of the scan process: 01:33:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Aventail\LogFiles\odxsp.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\History\History.IE5\MSHist012008030920080310\index.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Temp\~DF29DC.tmp Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\ntuser.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\QooBox\Quarantine\C\Documents and Settings\Saleem Sheikh\Application Data\setup_en[1].exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.ec skipped
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\QooBox\Quarantine\C\Program Files\WindowsUpdate\wexucyp89104.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\VundoFix Backups\odjfbfid.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ssqnmnk.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.tmp.vir Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kcntnlwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kkwnw64m.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kmwnw64l.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kmwnw64o.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kmwnw64q.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\knwnw64s.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mb4\renabcom4.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ncntnlwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pz8\np89104.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pz8\np89104.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qcntllwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rcntnlwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sx1\ravecom3.exe.vir Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tcntolwb.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\SDFix\backups\backups.zip/backups/UGA6P_0001_N122M0611NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0202028.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0202030.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0202037.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0202038.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0204041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1003\A0204042.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204077.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204078.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204079.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204085.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204139.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ce skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1004\A0204141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1005\A0204172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1005\A0204173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204817.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204818.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204818.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204819.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204823.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ec skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204825.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204826.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204827.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204828.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204829.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204830.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204831.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1012\A0204895.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206090.dll Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206092.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206093.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206094.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\A0206095.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1015\change.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP998\A0193747.exe Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0193762.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0194776.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0195752.exe Infected: not-a-virus:Downloader.Win32.WinFixer.cv skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0195776.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0196769.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197769.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197774.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197775.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197777.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197780.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197780.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197781.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197782.exe Infected: not-a-virus:AdWare.Win32.Rabio.g skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP999\A0197792.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

____________________________________________________________________________________________________________________________________

COmboFix Logs:
==============

ComboFix 08-03-03.4 - Saleem Sheikh 2008-03-08 23:47:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.292 [GMT 0:00]
Running from: C:\Documents and Settings\Saleem Sheikh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Saleem Sheikh\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\SYSTEM32\drbingo.ico
C:\WINDOWS\SYSTEM32\kkwnw64m.exe
C:\WINDOWS\SYSTEM32\kmwnw64o.exe
C:\WINDOWS\SYSTEM32\qcntllwb.exe
C:\WINDOWS\SYSTEM32\rcntnlwb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\RABCO
C:\Program Files\RABCO\RABCO.dll
C:\WINDOWS\SYSTEM32\drbingo.ico
C:\WINDOWS\SYSTEM32\kkwnw64m.exe
C:\WINDOWS\SYSTEM32\kmwnw64o.exe
C:\WINDOWS\SYSTEM32\qcntllwb.exe
C:\WINDOWS\SYSTEM32\rcntnlwb.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-06 16:08 . 2008-03-06 16:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-06 16:02 . 2008-03-06 16:31 <DIR> d-------- C:\SDFix
2008-03-01 23:10 . 2008-03-07 11:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-01 23:10 . 2008-03-01 23:10 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\PC Tools
2008-03-01 23:10 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-01 23:10 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-01 23:10 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-01 23:10 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-01 00:55 . 2008-03-01 00:55 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUK.ico
2008-02-29 23:51 . 2008-02-29 23:51 13,942 --a------ C:\WINDOWS\SYSTEM32\N90-002.ico
2008-02-29 23:48 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-02-29 23:36 . 2008-03-02 11:01 <DIR> d--hs---- C:\WINDOWS\QUE
2008-02-13 19:13 . 2008-02-29 19:36 <DIR> d-------- C:\Documents and Settings\Saleem Sheikh\Application Data\NCH Swift Sound
2008-02-13 19:13 . 2008-02-13 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound
2008-02-13 19:12 . 2008-02-13 19:12 <DIR> d-------- C:\Program Files\NCH Software
2008-02-13 19:11 . 2008-02-29 19:36 <DIR> d-------- C:\Program Files\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 23:36 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-08 17:26 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-03-05 22:30 --------- d-----w C:\Program Files\Symantec
2008-03-05 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-05 22:23 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-03-05 22:18 --------- d-----w C:\Documents and Settings\Saleem Sheikh\Application Data\Lavasoft
2008-02-11 18:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-29 20:59 200 ----a-w C:\Documents and Settings\Saleem Sheikh\HiScores.dat
2008-01-22 14:40 --------- d-----w C:\Program Files\Google
2007-12-30 08:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-25 16:28 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-12-25 16:28 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="C:\WINDOWS\System32\DrvMon.exe" [2004-09-10 02:16 53248]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 16:31 68856]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-11-21 02:11 3289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 23:17 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 23:21 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 23:15 610304]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 22:15 327680]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 07:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 16:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-09-23 17:23 204800]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 19:12 290816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 15:24 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-23 12:01 282624]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 19:25 1003520]
"BigDog305"="C:\WINDOWS\VM305_STI.exe" [2005-08-05 14:15 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-25 16:27 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-10 16:31:09 124912]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2004-02-26 13:10:33 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

S3 ZSMC0305;SUPER 188 PC CAMERA;C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-03-22 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efe54238-9b94-11dc-9ad4-000d56ad71b7}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 23:51:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-08 23:52:52
ComboFix-quarantined-files.txt 2008-03-08 23:52:01
ComboFix2.txt 2008-03-07 23:03:06
ComboFix3.txt 2008-03-05 22:47:44
ComboFix4.txt 2008-03-03 22:15:57
.
2008-02-15 08:14:35 --- E O F ---

____________________________________________________________________________________________________________________________________

HijackThis Logs
===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:41 AM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Saleem Sheikh\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKUS\S-1-5-18\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [barcontrol.dll OCX] regsvr32.exe /s "C:\Program Files\Common Files\Real\GToolbar\barcontrol.dll" (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads...
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7805 bytes


Sorry looks like my computer is taking too much of your time and efforts. Thanks a million!!!

Saiza


Report •

#11
March 7, 2008 at 20:34:34

Much better, your computer appears to be clean.

A little cleanup left to do.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Run CCleaner again.

Go to start> run> type in combofix /u (there must be a space after combofix) the press ok. That will remove combofix.

Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Click on the JDK 6 Update 5 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jdk-6u5-windows-i586-p.exe
to install the newest version.


Report •

#12
March 8, 2008 at 15:07:15

thanks a lot jabuck!!! I have done all the steps mentioned above.

I have 2 questions...if u can please help me in those

1) When I ran Kaspersky online scanner, there were around 25 virus and 71 infections. Are they not harmful? How do I remove them???

2) When I am using yahoo messenger,there are some junk links that appear on IM screens as messages. Below is one such incident.

Mohd ismail: Trình di?n xi?c "r?n tóc gáy" http://gaigoitanbinh.xlphp.net/
Mohd ismail: Trình di?n xi?c "r?n tóc gáy" http://gaigoitanbinh.xlphp.net/

Can you please let me know how do I remove them and why do they appear? Is it any kind of a Virus infection?

3) I have only spydoctor freeware on my machine? Do you have any suggestion of freeware software that can effectively protect my machine.

Thanks a million for all the help. My computer's performance has also improved tremendously. Thanks once again

Saiza


Report •

#13
March 8, 2008 at 16:12:29

Download Registry Search to your desktop and doubleclick it> click regsearch.exe> click run> click run again. Copy/paste:

SSCVIIHOST.exe


in the top line and click "Ok". Takes a minute to run then notepad will be opened with text in it (the file will be saved in the program's folder as well). Post this text.


Report •

#14
March 9, 2008 at 10:01:04

hi.. here is the text.

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 3/10/2008 4:58:40 PM for strings:
; 'sscviihost.exe '
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

Saiza


Report •

#15
March 9, 2008 at 12:43:31

Please post a new Kaspersky log.

Report •

#16
March 11, 2008 at 10:35:57

Kapersky Log:
=============

---------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 12, 2008 5:32:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/03/2008
Kaspersky Anti-Virus database records: 624265
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 64505
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:57:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Aventail\LogFiles\odxsp.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Temp\~DF25E7.tmp Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\ntuser.dat Object is locked skipped
C:\Documents and Settings\Saleem Sheikh\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{18E7DA77-AB5E-45AC-972B-063EC31C2B4D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Thanks

Saiza


Report •

#17
March 11, 2008 at 18:47:06

Looks like your computer is clean.

You might try a different online scanner.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.


Report •

#18
March 12, 2008 at 10:20:13

BitDefender Online Scanner



Scan report generated at: Thu, Mar 13, 2008 - 17:07:48





Scan path: C:\;D:\;







Statistics

Time
01:34:27

Files
289336

Folders
6063

Boot Sectors
3

Archives
3640

Packed Files
10266




Results

Identified Viruses
0

Infected Files
0

Suspect Files
2

Warnings
0

Disinfected
0

Deleted Files
2




Engines Info

Virus Definitions
986901

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\Islamasoft Solutions\The Hadith Software\Muwatta32.dll
Suspected of: Generic.Malware.Gprn.EAC33FBE

C:\Program Files\Islamasoft Solutions\The Hadith Software\Muwatta32.dll
Disinfection failed

C:\Program Files\Islamasoft Solutions\The Hadith Software\Muwatta32.dll
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0000108.dll
Suspected of: Generic.Malware.Gprn.EAC33FBE

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0000108.dll
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0000108.dll
Deleted










Saiza


Report •

#19
March 12, 2008 at 19:57:47

How is you computer operating?

Report •

#20
March 13, 2008 at 08:06:12

Thanks jabuck. My computerr is operating a 100 times better than what it used to.

Do you think my system is clean now. What should I do to keep it clean in future as well because i use freeware antivirus.

Saiza


Report •

#21
March 13, 2008 at 18:54:01

I use AVG free antivirus, zonealarm free firewall, spywareblaster, keep java and windows updated and run Ccleaner at least weekly to clean temp files. And of course stay off those less desirable sites.

Go to start> run> type in combofix /u (there must be a space after combofix) then press enter, this with unistall Combofix.

Go to start> control panel>add/remove programs and uninstall these programs:


Hijack This
Kaspersky

Delete the SDFix icon on your desktop and navigate to and delete this folder:

C:\SDFix

thne empty the recycle bin.

Glad we could help.


Report •

#22
March 14, 2008 at 15:20:57

Thanks Jabuck to you and your team. It is wonderful to have people like u which makes like and computer :) easy !!!

Allah Bless !

Saiza


Report •


Ask Question