"BASITH" -:56:43 Service Pack 2 ComboFix.2V - Running from: C:\Documents and Settings\BASITH\Desktop\ (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system\svchost.exe ((((((((((((((((((((((((((((((( Files Created from to )))))))))))))))))))))))))))))))))) :50 <DIR> d--hs---- C:\FOUND.006:31 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT:17 <DIR> d-------- C:\!KillBox:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys:48 <DIR> d--hs---- C:\FOUND.005:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion:27 <DIR> d--hs---- C:\FOUND.004:02 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys:04 <DIR> d--hs---- C:\FOUND.003:56 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL:56 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS:56 <DIR> d-------- C:\Program Files\Norton AntiVirus:07 <DIR> d--hs---- C:\FOUND.002:36 <DIR> d-------- C:\Program Files\directx:40 <DIR> d--hs---- C:\FOUND.001:02 <DIR> d--h----- C:\WINDOWS\PIF:23 <DIR> d-------- C:\Program Files\Inbit (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) :06 -------- d-------- C:\Program Files\quicktime:33 -------- d-------- C:\DOCUME~1\BASITH\APPLIC~1\apple computer:58 -------- d-------- C:\Program Files\Common Files\vbox:02 1459 --a------ C:\WINDOWS\mozver.dat:38 73216 --a------ C:\WINDOWS\st6unst.exe:38 --------- C:\WINDOWS\setup1.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "VTTimer"="VTTimer.exe" "VTTrayp"="VTtrayp.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\"" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\"" "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\"" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "Task Manager"="C:\\WINDOWS\\system\\svchost.exe" "Yahoo Messenger"="C:\\WINDOWS\\system\\svchost32.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" "Yahoo! Pager"="\"D:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ file:///C:/DOCUME~1/BASITH/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - BASITH.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan:58:16 Windows 5.1.2600 Service Pack 2 FAT scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time::58:18 C:\ComboFix-quarantined-files.txt ...:58

0

I hope the above post helps u !! though it has not aligned properly as it has on the notepad. Lemme know if ther is anythin more i can do .. Thanx a million

0

Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable. This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log on your desktop.

0

Hey jabuck i will being following this above process once i reach home today from work. I was wondering why is my system taking lot of time to start up. The loading process is very slow. Once i am connected to the net, i only use GTALK for time being & looks like that too is slow compared to before. I hope these issues are fixed once you have provided me all the solutions. I will post the log as asked above ASAP. Thanx

0

Dr.Web Cureit. LOG index[1].htm\javascript.0;C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\82ORY1BY\index[1].htm;VBS.Psyme.377;; index[1].htm;C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\82ORY1BY;Archive contains infected objects;Moved.; A0026674.EXE;C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73;Win32.HLLW.Texmer;Incurable.Moved.; svchost.exe;C:\!KillBox;Win32.HLLW.Texmer;Incurable.Moved.;

0

Still not a lot showing up. Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html Click Accept When the updates are finished downloading, click Next, Scan Settings Under Scan using the following antivirus database:, select extended Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK Click My Computer and wait for the scan to finish Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

0

--------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, April 24, 2007 8:15:20 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 24/04/2007 Kaspersky Anti-Virus database records: --------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 28846 Number of viruses found: 3 Number of infected objects: 35 Number of suspicious objects: 0 Duration of the scan process: 00:31:50 Infected Object Name / Virus Name / Last Action C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system\svchost.exe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\WINDOWS\system\svchost.exe AutoIt: infected - 1 skipped C:\WINDOWS\system\svchost.exe UPX: infected - 1 skipped C:\WINDOWS\system\svchost.exe PE_Patch.UPX: infected - 1 skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-04-24_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\91D8075D.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\F18F17A6.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\BASITH\NTUSER.DAT Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.EXE/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.exe AutoIt: infected - 1 skipped C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.exe UPX: infected - 1 skipped C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.exe PE_Patch.UPX: infected - 1 skipped C:\Documents and Settings\BASITH\Local Settings\Temp\Perflib_Perfdata_8b0.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\History\History.IE5\MSHist012007042420070425\index.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\82ORY1BY\YMworm[1].exe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\82ORY1BY\YMworm[1].exe AutoIt: infected - 1 skipped C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\82ORY1BY\YMworm[1].exe UPX: infected - 1 skipped C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\82ORY1BY\YMworm[1].exe PE_Patch.UPX: infected - 1 skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\BASITH\Cookies\index.dat Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\history.dat Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\cert8.db Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\key3.db Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\parent.lock Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\formhistory.dat Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\search.sqlite Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\BASITH\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\index[1].htm Infected: Trojan-Downloader.JS.Small.dn skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.EXE/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.exe AutoIt: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.exe UPX: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.exe PE_Patch.UPX: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.exe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.exe AutoIt: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.exe UPX: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.exe PE_Patch.UPX: infected - 1 skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.EXE/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.exe AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.exe UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.exe PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP74\A0028171.exe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP74\A0028171.exe AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP74\A0028171.exe UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP74\A0028171.exe PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP74\change.log Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\system\svchost.exe.vir/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\QooBox\Quarantine\C\WINDOWS\system\svchost.exe.vir AutoIt: infected - 1 skipped C:\QooBox\Quarantine\C\WINDOWS\system\svchost.exe.vir UPX: infected - 1 skipped C:\QooBox\Quarantine\C\WINDOWS\system\svchost.exe.vir PE_Patch.UPX: infected - 1 skipped D:\Back-up\BOOMBox_Setup.exe/data0018 Infected: not-a-virus:AdWare.Win32.Advision.a skipped D:\Back-up\BOOMBox_Setup.exe Inno: infected - 1 skipped Scan process completed.

0

Navigate to and delete these folders: C:\QooBox C:\Documents and Settings\BASITH\DoctorWeb\Quarantine Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip 1. Click on Avenger.zip to open the file Extract avenger.exe to your desktop 2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Files to delete: C:\WINDOWS\system\svchost.exe/script.au3 C:\WINDOWS\system\svchost.exe C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.EXE/script.au3 C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.exe C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\82ORY1BY\YMworm[1].exe XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply. Open notepad (Start Menu > Run > Type notepad and press "ok". Copy and paste everything into notepad between the x's making regedit4 the top line. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Task Manager"=- "Yahoo Messenger"=- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop. Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes. Post a new Hijack This log and a new combofix log please.

0

Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\gqwmbvok ******************* Script file located at: \??\C:\WINDOWS\system32\fsjrback.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Could not open file C:\WINDOWS\system\svchost.exe/script.au3 for deletion Deletion of file C:\WINDOWS\system\svchost.exe/script.au3 failed! Could not process line: C:\WINDOWS\system\svchost.exe/script.au3 Status: 0xc0000033 File C:\WINDOWS\system\svchost.exe deleted successfully. Could not open file C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.EXE/script.au3 for deletion Deletion of file C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.EXE/script.au3 failed! Could not process line: C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.EXE/script.au3 Status: 0xc0000033 File C:\Documents and Settings\BASITH\Local Settings\Temp\IEXPLORE.exe deleted successfully. File C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\82ORY1BY\YMworm[1].exe deleted successfully. Completed script processing. ******************* Finished! Terminate. When i tried doing the **Double click Fix.reg**, I got an error message saying REGISTRY EDITING HAS BEEN DISABLED BY YOUR ADMINISTER. There is no ADMINISTRATOR login to this computer. It has always logged into this log automatically. never asks for which LOGIN you wanna choose. Also i would want to tell you that, the RUN function does not show up when i click on the START menu under different TABS. There should be something that was not done properly when i installed the OS i guess. I aint sure about it thou. On the safe mode a couple of days back when you told me to do things, There was ADMIN & BASITH logins. JUST FYI. Anyway, i haev gone ahead and done a HIJACKTHIS and am pasting the log here. The REGISTRY MERGING did not happen. Below is the HIJACKTHIS log. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 7:13:14 PM, on 4/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\SOUNDMAN.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe D:\Program Files\iPod\bin\iPodService.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe C:\WINDOWS\system32\notepad.exe D:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe D:\AV 07\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quicknews.info R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie... R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost.exe O4 - HKLM\..\Run: [Yahoo Messenger] C:\WINDOWS\system\svchost32.exe O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.exe" -quiet O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/englis... O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS1\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS2\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/BASITH/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg -- End of file - 9164 bytes

0

Run Hijack This again and remove these item: O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost.exe O4 - HKLM\..\Run: [Yahoo Messenger] C:\WINDOWS\system\svchost32.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 Restart the computer. Post a new Hijack This log.

0

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:13:13 AM, on 4/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\SOUNDMAN.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe D:\AV 07\HiJackThis_v2.exe D:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quicknews.info R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie... R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.exe" -quiet O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/englis... O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS1\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS2\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/BASITH/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg -- End of file - 8844 bytes Again I did get that message: REGISTRY EDITING HAS BEEN DISABLED BY YOUR ADMINISTER. I restarted the computer after FIXING what you wanted me to. and ran LOG & have posted it as above. Thanks a lot

0

Your hijack This log appears clean but lets looks a little further. Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable. This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log on your desktop. Please perform an online virus scan with F-Secure Online Scanner. Please navigate (using Internet Explorer, other browsers won't work) to the following site: F-Secure Online Scanner Click the Online Virus Scanner link. (Bottom of the page) When prompted, choose to install the software. After the software has installed, click Accept. Click Custom Scan and check the option for Scan inside archives, then click Start. The necessary databases will then be downloaded, and the scan will then start automatically. Please be patient as this scan will take a while to complete. If any infections are found then once the scan has finished the "cleaning" screen will be displayed. Choose Automatic cleaning (recommended). After cleaning has finished, then the Finish screen will be displayed. Choose Show Report. In order to post the report, press CTRL+A on your keyboard to highlight all the text. Then copy and paste that information into this thread, along with a new HijackThis log and a combofix log please.

0

Hi Jabuck , I will follow this above procedure as soon as i reach home from work. That should be in another couple of hours. I will post all the three LOG RESULTS once i am done with them. But could you tell me, How come i don't see the RUN COMMAND on my START MENU. Even shortcut keys for RUN dont work, system tells, You can't access this command or something like that. Anyway. will post the log file soon. Thanks

0

Dr Web CureIt LOG: A0028171.exe;C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP74;Win32.HLLW.Texmer;Incurable.Moved.; index[1].htm\javascript.0;C:\Recycled\Dc2\index[1].htm;VBS.Psyme.377;; index[1].htm;C:\Recycled\Dc2;Archive contains infected objects;Moved.; A0026674.EXE;C:\Recycled\Dc2;Win32.HLLW.Texmer;Incurable.Moved.; svchost.exe;C:\Recycled\Dc2;Win32.HLLW.Texmer;Incurable.Moved.; F-Secure Log: Scanning Report Thursday, April 26,:10:39 - 21:04:07 Computer name: PINK-HOUSE Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ D:\ E:\ ---------------------- Result: 20 malware found IM-Worm.Win32.Sohanad.ae (virus) C:\avenger\backup.zip\avenger\svchost.exe C:\avenger\backup.zip\avenger\IEXPLORE.exe C:\avenger\backup.zip\avenger\YMworm[1].exe C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028255.exe (Renamed & Submitted) C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028348.exe (Renamed & Submitted) C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028349.exe (Renamed & Submitted) C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.exe (Renamed & Submitted) C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0028171.exe (Renamed & Submitted) C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.exe (Renamed & Submitted) C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.exe (Renamed & Submitted) Tracking Cookie (spyware) System (Disinfected) System System System System System System System Trojan-Downloader.JS.Small.dn (virus) C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\index[1].htm (Renamed & Submitted) Windows (spyware) System (Disinfected) ---------------------- Statistics Scanned: Files: 25929 System: 3877 Not scanned: 17 Actions: Disinfected: 2 Renamed: 8 Deleted: 0 None: 10 Submitted: 8 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Need For Speed II SE/GameData/Tracks/Speeds/TR00.ALN Need For Speed II SE/GameData/Tracks/Speeds/TR02.ALN Need For Speed II SE/GameData/Tracks/Speeds/TR03.ALN Need For Speed II SE/GameData/Tracks/Speeds/TR04.ALN Need For Speed II SE/GameData/Tracks/Speeds/TR05.ALN Need For Speed II SE/GameData/Tracks/Speeds/TR06.ALN Need For Speed II SE/GameData/Tracks/Speeds/TR07.ALN Need For Speed II SE/GameData/Tracks/Speeds/TR08.ALN Need For Speed II SE/GameData/Tracks/Speeds/TR00.PLN Need For Speed II SE/GameData/Tracks/Speeds/TR03.PLN D:\GAMES\DD2CAR\SAVEGAME a-nt313.r00 a-nt313.r01 a-nt313.r02 D:\Back-up\WINZIP8.1\WINZIP81.EXE\SETUP.WZ\WINZIP32.EX_ ---------------------- Options Scanning engines: F-Secure AVP: 7.0.171, F-Secure Blacklight: 1.0.53, F-Secure Draco: 1.0.35, F-Secure Libra: 2.4.2, F-Secure Orion: 1.2.37, F-Secure Pegasus: 1.19.0, Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX Scan inside archives Use Advanced heuristics ---------------------- Copyright © Product support |Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability. HijackThis Log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 9:08:09 PM, on 4/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\SOUNDMAN.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe D:\Program Files\iPod\bin\iPodService.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe D:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft Office\OFFICE11\EXCEL.exe D:\AV 07\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quicknews.info R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie... R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.exe" -quiet O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/englis... O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fsc... O17 - HKLM\System\CCS\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS1\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS2\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/BASITH/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg -- End of file - 8975 bytes COMBOFIX log will be posted in the next reply

0

"BASITH" -:08:48 Service Pack 2 ComboFix.2V - Running from: C:\Documents and Settings\BASITH\Desktop\ ((((((((((((((((((((((((((((((( Files Created from to )))))))))))))))))))))))))))))))))) :06 <DIR> d-------- C:\avenger:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab:40 <DIR> d-------- C:\DOCUME~1\BASITH\DoctorWeb:32 756,736 --------- C:\WINDOWS\system32\ir41_32.dll:32 56,832 --------- C:\WINDOWS\system32\iyvu9_32.dll:32 143,872 --------- C:\WINDOWS\system32\iacenc.dll:40 283,648 --a------ C:\WINDOWS\uninst.exe:39 <DIR> d-------- C:\DOCUME~1\BASITH\WINDOWS:58 <DIR> d-------- C:\Program Files\Acclaim Entertainment:38 <DIR> d-------- C:\Program Files\Vice City:50 <DIR> d--hs---- C:\FOUND.006:31 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT:17 <DIR> d-------- C:\!KillBox:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys:48 <DIR> d--hs---- C:\FOUND.005:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion:27 <DIR> d--hs---- C:\FOUND.004:02 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys:04 <DIR> d--hs---- C:\FOUND.003:56 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL:56 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS:56 <DIR> d-------- C:\Program Files\Norton AntiVirus:07 <DIR> d--hs---- C:\FOUND.002:36 <DIR> d-------- C:\Program Files\directx:40 <DIR> d--hs---- C:\FOUND.001:02 <DIR> d--h----- C:\WINDOWS\PIF (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) :23 -------- d-------- C:\Program Files\inbit:06 -------- d-------- C:\Program Files\quicktime:33 -------- d-------- C:\DOCUME~1\BASITH\APPLIC~1\apple computer:58 -------- d-------- C:\Program Files\Common Files\vbox:02 1459 --a------ C:\WINDOWS\mozver.dat:38 73216 --a------ C:\WINDOWS\st6unst.exe:38 --------- C:\WINDOWS\setup1.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "VTTimer"="VTTimer.exe" "VTTrayp"="VTtrayp.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\"" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\"" "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\"" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" "Yahoo! Pager"="\"D:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ file:///C:/DOCUME~1/BASITH/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - BASITH.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan:10:58 Windows 5.1.2600 Service Pack 2 FAT scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time::11:00 C:\ComboFix-quarantined-files.txt ...:11 C:\ComboFix2.txt ...:58

0

See if this will work, if not we will need to make a registry edit. Right click the Start button and select Properties, then Customize. Scroll down and put the check mark in the Show Run entry. If you're using the new Start panel, its on the Advanced tab. Your java is out of date and needs to be updated as soon as possible. Download the latest version of http://java.sun.com/javase/downloads/index.jsp Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed . Then from your desktop double-click on jre-1_6_0-windowsi586-p.exe to install the newest version. You should consider adding "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

0

JABUCK, I have tried doing the DISPLAY RUN, but the button does not seem to show up on the system, when i follow those steps. I guess we just might have to make a registry edit. I will update java once i reach home. Could you please tell me if everythin is clean on my system now. Can i install msn messenger, run yahoo messenger ??? And if all's fine, can i remove any of the softwares i installed during your help. I also wonder why my system starts up so slow. Is there many programs running during start-up. Is it the Norton 2007 that has made it slow. Because I installed it very recently. Thanks for everything

0

Hey JABUCK, Today while i was using msn ... again ...some link was throw from my ID !! Looks like somethin still wrong here :(

0

Try this, go to this link http://www.kellys-korner-xp.com/xp_tweaks.htm then scroll down to # 57 on the list> on the right side of the page click "restore the run command" and download it to your desktop. Right click on the "norun.reg" icon on your desktop> click merge. Restart the computer, and see if that replaced the run function in your start menu.

0

Please download Deckards System Scanner to your desktop. Close all applications and windows. Double-click on dds.exe to run it, and follow the prompts. The scan may take a minute. When the scan is complete, a text file will open - main.txt A folder (C:\Deckard\System Scanner) will also open which contains the main.txt and an extra.txt. Copy and paste the contents of main.txt in your next reply. (Do not post the extra.txt - only post this when being asked)

0

Deckard's System Scanner v20070426.43 Run by BASITH on at 02:35:38 Computer is in Normal Mode. ---------------------- -- HijackThis (run as BASITH.---------------------- Logfile of HijackThis v1.99.1 Scan saved at 2:36:04 AM, on 5/1/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\SOUNDMAN.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system\svchost.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\BASITH\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\BASITH.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thecoolpics.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie... R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie... R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost.exe O4 - HKLM\..\Run: [Yahoo Messenger] C:\WINDOWS\system\svchost32.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: Bluetooth.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/englis... O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fsc... O17 - HKLM\System\CCS\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS1\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS2\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- Files created between and 20--------- :53:09 --a------ C:\WINDOWS\system\svchost.exe:57:53 0 d-------- C:\WINDOWS\pss:10:28 0 d-------- C:\Program Files\MSN Messenger:12:44 0 d-------- C:\Program Files\Common Files\Java:06:21 0 d-------- C:\avenger:29:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab:29:00 0 d-------- C:\WINDOWS\system32\Kaspersky Lab:40:08 0 d-------- C:\Documents and Settings\BASITH\DoctorWeb:32:10 56832 -----n--- C:\WINDOWS\system32\iyvu9_32.dll:32:10 -----n--- C:\WINDOWS\system32\iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>:32:09 -----n--- C:\WINDOWS\system32\ir41_32.dll <Not Verified; Intel Corporation; Intel Indeo(R) Video Interactive 32-bit Driver>:40:04 --a------ C:\WINDOWS\uninst.exe <Not Verified; Stirling Technologies, Inc.; InstallShield Deinstaller>:39:57 0 d-------- C:\Documents and Settings\BASITH\WINDOWS:58:38 0 d-------- C:\Program Files\Acclaim Entertainment:38:10 0 d-------- C:\Program Files\Vice City:50:24 0 d--hs---- C:\FOUND.006:31:37 0 d--h----- C:\Documents and Settings\Administrator\Templates:31:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu:31:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo:31:37 0 d--h----- C:\Documents and Settings\Administrator\Recent:31:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood:31:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood:31:37 0 d-------- C:\Documents and Settings\Administrator\My Documents:31:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings:31:37 0 d-------- C:\Documents and Settings\Administrator\Favorites:31:37 0 d-------- C:\Documents and Settings\Administrator\Desktop:31:37 0 d---s---- C:\Documents and Settings\Administrator\Cookies:31:37 0 dr-h----- C:\Documents and Settings\Administrator\Application Data:31:37 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft:31:36 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT:17:41 0 d-------- C:\!KillBox:48:44 0 d--hs---- C:\FOUND.005:27:44 0 d--hs---- C:\FOUND.004:04:54 0 d--hs---- C:\FOUND.003:56:34 0 d-------- C:\Program Files\Norton AntiVirus:07:16 0 d--hs---- C:\FOUND.002:36:20 0 d-------- C:\Program Files\directx:40:56 0 d--hs---- C:\FOUND.001 -- Find3M Re---------- :23:06 0 d-------- C:\Program Files\Inbit:06:20 0 d-------- C:\Program Files\QuickTime:33:46 0 d-------- C:\Documents and Settings\BASITH\Application Data\Apple Computer:41:10 0 dr-h----- C:\Documents and Settings\BASITH\Application Data\yahoo!:58:50 0 d-------- C:\Program Files\Common Files\Vbox:58:12 0 d-------- C:\Program Files\Macromedia:31:10 0 d-------- C:\Program Files\IrfanView:02:46 1459 --a------ C:\WINDOWS\mozver.dat:38:26 73216 --a------ C:\WINDOWS\ST6UNST.exe <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>:38:26 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows> -- Registry ---------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "VTTimer"="VTTimer.exe" "VTTrayp"="VTtrayp.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\"" "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\"" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "Task Manager"="C:\\WINDOWS\\system\\svchost.exe" "Yahoo Messenger"="C:\\WINDOWS\\system\\svchost32.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000001 "DisableTaskMgr"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRun"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ file:///C:/DOCUME~1/BASITH/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="googletalk" "hkey"="HKCU" "command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="MsnMsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 -- End of Deckard's System Scanner: finished at at 02:36:28 ---------

0

Looks like we found something, we will need to alter on procedure. Please download OTMoveIT by Oldtimer Save it to your desktop. Please double-click OTMoveIt.exe to run it. Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window: C:\WINDOWS\system\svchost.exe C:\WINDOWS\system\lsass.exe C:\WINDOWS\lsass.exe C:\WINDOWS\system\svchost32.exe C:\WINDOWS\system\YMworm.exe C:\Program Files\ rundll32.exe Then click the red Moveit! button below. This will display the results in the right windows where it says "Results" on top Copy and paste everything present in the Results window (right window) and save these results in notepad and save it on your desktop, because we need to see those results afterwards. Close OTMoveIt. You may be ask to reboot the computer but reboot even if you are not ask to do so and if you get any errors we will take care of those as soon as we can it should cause no problems. Next, Run Hijack This from normal mode, close all windows and browsers except hijack This, place a check to the left of these items and press "fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thecoolpics.net/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\system\svchost.exe O4 - HKLM\..\Run: [Yahoo Messenger] C:\WINDOWS\system\svchost32.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 Exit Hijack this Please download Brute Force Uninstaller Unzip it to it’s own folder (c:\BFU) Double click BFU.exe to run it. When the "Brute Force Uninstaller" window appears, click the "globe" icon in the top right hand corner. When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute' In the field, copy and paste next URL: http://metallica.geekstogo.com/coolpics.bfu Click Ok. Then click execute in Brute Force Uninstaller. Extra note: If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( coolpics.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller. Wait for the complete script execution box to popup and press OK. Press exit to terminate the BFU program. Open notepad (Start Menu > Run > Type notepad and press "ok". Copy and paste everything into notepad between the x's making regedit4 the top line. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX REGEDIT4 [HKEY_CURRENT_USER\Software\yahoo\pager\View\YMSGR_buzz] "content url"=- [HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast] "content url"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoFolderOptions"=- "NoRun"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoFolderOptions"=- "NoRun"=- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop. Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes. Please post the results of OTMoveIt and a new Hijack This log.

0

I don't think, Fix.reg will be allowed as the last time i tried doin so it said, ADMINISTRATOR does not allow. I will stil try it once i head back home tonite. Also the RUN option is missing again from the START menu. will post what you asked for in the next post

0

Post a new Hijack This log and a new combofix log please.

0

I'm sorry for beaing a noob in this, But Jabuck, Should i do what you asked me to in RESPONSE 28 or just do things you mentioned in RESPONSE 30. I will do it as soon as i reach home tonite. awaiting your help

0

Jabuck :) I did everything mentioned on RESPONSE 28 & 30. Even the Fix.reg worked fine. Logfile of HijackThis v1.99.1 Scan saved at 9:41:33 PM, on 5/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\SOUNDMAN.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie... R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie... O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/englis... O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fsc... O17 - HKLM\System\CCS\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS1\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS2\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe OTMOVEIT LOG: C:\WINDOWS\system\svchost.exe moved successfully. File/Folder not found. File/Folder C:\WINDOWS\system\lsass.exe not found. File/Folder not found. File/Folder C:\WINDOWS\lsass.exe not found. File/Folder not found. File/Folder C:\WINDOWS\system\svchost32.exe not found. File/Folder not found. File/Folder C:\WINDOWS\system\YMworm.exe not found. File/Folder not found. File/Folder C:\Program Files\ rundll32.exe not found. Created on 05/02/2007 21:24:55 "BASITH" -:42:26 Service Pack 2 ComboFix.2V - Running from: D:\ ((((((((((((((((((((((((((((((( Files Created from to )))))))))))))))))))))))))))))))))) :36 <DIR> d-------- C:\BFU:28 <DIR> d-------- C:\Deckard:57 <DIR> d-------- C:\WINDOWS\pss:10 <DIR> d-------- C:\Program Files\MSN Messenger:06 <DIR> d-------- C:\avenger:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab:40 <DIR> d-------- C:\DOCUME~1\BASITH\DoctorWeb:32 756,736 --------- C:\WINDOWS\system32\ir41_32.dll:32 56,832 --------- C:\WINDOWS\system32\iyvu9_32.dll:32 143,872 --------- C:\WINDOWS\system32\iacenc.dll:40 283,648 --a------ C:\WINDOWS\uninst.exe:39 <DIR> d-------- C:\DOCUME~1\BASITH\WINDOWS:58 <DIR> d-------- C:\Program Files\Acclaim Entertainment:38 <DIR> d-------- C:\Program Files\Vice City:50 <DIR> d--hs---- C:\FOUND.006:31 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT:17 <DIR> d-------- C:\!KillBox:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys:48 <DIR> d--hs---- C:\FOUND.005:27 <DIR> d--hs---- C:\FOUND.004:02 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys:04 <DIR> d--hs---- C:\FOUND.003:56 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL:56 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS:56 <DIR> d-------- C:\Program Files\Norton AntiVirus:07 <DIR> d--hs---- C:\FOUND.002 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) :36 -------- d-------- C:\Program Files\directx:23 -------- d-------- C:\Program Files\inbit:02 1459 --a------ C:\WINDOWS\mozver.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "VTTimer"="VTTimer.exe" "VTTrayp"="VTtrayp.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\"" "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\"" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ file:///C:/DOCUME~1/BASITH/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="googletalk" "hkey"="HKCU" "command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="MsnMsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - BASITH.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan:44:04 Windows 5.1.2600 Service Pack 2 FAT scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time::44:06 C:\ComboFix-quarantined-files.txt ...:44 C:\ComboFix3.txt ...:58 C:\ComboFix2.txt ...:11

0

Your Hijack This log is clean, you are doing quite well for a self proclaimed "noob". How is the computer operating?

0

LOL ... Thanx !! ;) The computer is still SLOW during the start up ... and then i have'nt started using the MSN or YAHOO messnger, cos i was wondering is the worm still in the system. Its already sent links to people on my buddy list the last time i was on it ... hence not taking a chance :)

0

Ok, run Kaspersky once again http://kaspersky.com/kos/english/kavwebscan.html Click Accept When the updates are finished downloading, click Next, Scan Settings Under Scan using the following antivirus database:, select extended Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK Click My Computer and wait for the scan to finish Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

0

--------------------- KASPERSKY ONLINE SCANNER REPORT Friday, May 04, 2007 9:14:14 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 4/05/2007 Kaspersky Anti-Virus database records: --------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 29084 Number of viruses found: 3 Number of infected objects: 54 Number of suspicious objects: 0 Duration of the scan process: 00:28:38 Infected Object Name / Virus Name / Last Action C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-05-04_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\6E979B55.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\8B865CFD.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\BASITH\NTUSER.DAT Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\History\History.IE5\MSHist012007050420070505\index.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\BASITH\Local Settings\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\Cache\BBB4397Cd01 Object is locked skipped C:\Documents and Settings\BASITH\Cookies\index.dat Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\history.dat Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\cert8.db Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\key3.db Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\parent.lock Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\formhistory.dat Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\search.sqlite Object is locked skipped C:\Documents and Settings\BASITH\Application Data\Mozilla\Firefox\Profiles\my1jpcz5.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\BASITH\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0028171.0xe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0028171.0xe AutoIt: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0028171.0xe UPX: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0028171.0xe PE_Patch.UPX: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\index[1].0tm Infected: Trojan-Downloader.JS.Small.dn skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.0XE/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.0XE AutoIt: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.0XE UPX: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\A0026674.0XE PE_Patch.UPX: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.0xe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.0xe AutoIt: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.0xe UPX: infected - 1 skipped C:\Documents and Settings\BASITH\DoctorWeb\Quarantine\svchost.0xe PE_Patch.UPX: infected - 1 skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.0XE/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.0XE AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.0XE UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP73\A0027764.0XE PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028255.0xe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028255.0xe AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028255.0xe UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028255.0xe PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028348.0XE/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028348.0XE AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028348.0XE UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028348.0XE PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028349.0xe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028349.0xe AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028349.0xe UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028349.0xe PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028359.exe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028359.exe AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028359.exe UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028359.exe PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028360.EXE/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028360.exe AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028360.exe UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028360.exe PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028361.exe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028361.exe AutoIt: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028361.exe UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP75\A0028361.exe PE_Patch.UPX: infected - 1 skipped C:\System Volume Information\_restore{1C01F5C1-3797-46F0-86EB-1CF78E8322A6}\RP83\change.log Object is locked skipped C:\avenger\backup.zip/avenger/svchost.exe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\avenger\backup.zip/avenger/svchost.exe Infected: IM-Worm.Win32.Sohanad.ae skipped C:\avenger\backup.zip ZIP: infected - 2 skipped C:\Deckard\System Scanner\20070501023533\backup\DOCUME~1\BASITH\LOCALS~1\Temp\IEXPLORE.EXE/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\Deckard\System Scanner\20070501023533\backup\DOCUME~1\BASITH\LOCALS~1\Temp\IEXPLORE.exe AutoIt: infected - 1 skipped C:\Deckard\System Scanner\20070501023533\backup\DOCUME~1\BASITH\LOCALS~1\Temp\IEXPLORE.exe UPX: infected - 1 skipped C:\Deckard\System Scanner\20070501023533\backup\DOCUME~1\BASITH\LOCALS~1\Temp\IEXPLORE.exe PE_Patch.UPX: infected - 1 skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system\svchost.exe/script.au3 Infected: IM-Worm.Win32.Sohanad.ae skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system\svchost.exe AutoIt: infected - 1 skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system\svchost.exe UPX: infected - 1 skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system\svchost.exe PE_Patch.UPX: infected - 1 skipped D:\Back-up\BOOMBox_Setup.exe/data0018 Infected: not-a-virus:AdWare.Win32.Advision.a skipped D:\Back-up\BOOMBox_Setup.exe Inno: infected - 1 skipped Scan process completed.

0

Navigate to and delete the foldeers: C:\Documents and Settings\BASITH\DoctorWeb\Quarantine C:\avenger\backup.zip C:\Deckard\System Scanner\20070501023533\backup C:\_OTMoveIt\MovedFiles Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Reboot into safe mode. Run AFT CLeaner from safe mode. The D: drives backup folder appears to be infected , can you delete those backed up files? Post a new Hijack This log please.

0

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 10:46:47 AM, on 5/5/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\SOUNDMAN.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\AV 07\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie... O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/englis... O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fsc... O17 - HKLM\System\CCS\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS1\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O17 - HKLM\System\CS2\Services\Tcpip\..\{10A22B64-156F-4A99-9825-36BB1CB73A54}: NameServer = 61.1.96.69,61.1.96.71 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/BASITH/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg -- End of file - 7777 bytes This HijackThis log was taken from normal mode. I have done everything you told above. I even deleted the D:Backup Folder. System sdtill starting up slowing.

0

I see a two suspucious items. Please download SDFix by AndyManchesta and save it to your desktop. Please then reboot your computer in Safe Mode by doing the following: Restart your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually. Instead of Windows loading as normal, a menu with options should appear. Select the first option, to run Windows in "Safe Mode", then press "Enter". Choose your usual account. Once in Safe Mode, please do the following: In Safe Mode, right-click the SDFix.zip folder and choose Extract All. Open the extracted folder and double-click RunThis.bat to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

0