Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help! malware.bnkf and trojan.win2.pakes.bxx HJT

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby Bob4 » January 29th, 2008, 9:44 pm

Delete the combofix.exe you have now and download a newer version:

1. Download Combo fix from one of these locations. ( Please save it to your desktop )
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


________________________________________
Open notepad and copy/paste the text in the quotebox below into it:



Killall::

File::
C:\WINDOWS\system32\drivers\streamm.sys
C:\drmHeader.bin

Folder::
C:\WINDOWS\System32\vt8
C:\WINDOWS\System32\mp2
C:\WINDOWS\System32\ez4
C:\WINDOWS\System32\che9
C:\WINDOWS\System32\edcA17


Driver::
streamm


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.

_______________________

If you haven't as of yet please do the hosts file as described above.

___________________________
Post the log from ComboFix.

Let me know if the pop-ups continue
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby wxmansmith » January 30th, 2008, 3:43 pm

This is really weird.

I proceeded as you instructed. Deleted the version and downloaded a new one to the desktop. I tried to run the script again from the .txt file created and continued to get the same error.

I even d/l'ed the program from both sites listed and rebooted and tried, same error. Do I need to manually go in and remove these files?

Let me know your thoughts when you get a chance...

And I am still getting pop-ups. I left the machine on the network for about 4 hours last evening and came back to over 30 IE windows open. Interesting enough, I rarely use IE. I use firefox almost exclusively. The only time I go into IE is for a site that may not render properly in Firefox. That happens like once a month.
wxmansmith
Regular Member
 
Posts: 17
Joined: January 27th, 2008, 3:35 pm

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby Bob4 » January 30th, 2008, 5:59 pm

I've just now read something new about the fix.
Let's try it this way I'm changing the script just slightly.
Please indulge me as I want to see if we can get this program to work 1 last time. If it doesn't work we will use another tool.

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\drivers\streamm.sys
C:\drmHeader.bin

Folder::
C:\WINDOWS\System32\vt8
C:\WINDOWS\System32\mp2
C:\WINDOWS\System32\ez4
C:\WINDOWS\System32\che9
C:\WINDOWS\System32\edcA17


Driver::
streamm.


[/quote]

NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.


If that still gives you trouble please try this.

_________________________________
_________________________________

OTMoveIt2 -

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    C:\WINDOWS\system32\drivers\streamm.sys
    C:\drmHeader.bin

    C:\WINDOWS\System32\vt8
    C:\WINDOWS\System32\mp2
    C:\WINDOWS\System32\ez4
    C:\WINDOWS\System32\che9
    C:\WINDOWS\System32\edcA17


  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    <<Insert files and folders to search for and move>>

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



_____________________________
  • Post the log from ComboFix or OTMOVEIT .
  • A new HJT log.
  • With the files gone I am curious about the popups.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby wxmansmith » January 30th, 2008, 8:00 pm

Okay, tried combofix again and it gave the same error. (no worries on the retries, I tried googling the error myself and couldn't come up with anything. So whatever you need, I'll work it out).

I moved on to OTMOVE...taht log is listed below.

Some of the bad news. I told you I left the machine on the network last night for 4 hours. I'm now wonder if that was a bad idea. I disconnected it and ALT-F4 to close the pop up windows. But, now my icons are all highlighted in blue and I'm being nagged worse than ever about opening windows and working offline (since I'm disconnected). In addition, my Norton AV scan ran last night and found 13 viruses...4 it could not delete or move:

hokev4444.dll
hokev83122.dll
nGpxx011065.exe
Dot1XCfg.exe

I'm hoping I did not introduce more issues. I have disabled Search and Dystroy while we work on these issues because I want to be able to make changes to the registry.

I have included a new HJT log as well at the bottom following a reboot.

I also received the following error following the latest reboot:

'During a scan of files at system startup, potential errors in the system registry were found.
p-07-0111 irql: 1f SYSVER 0xff00024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED'


Let me know where to proceed next. I'm sorry this is chewing up alot of time on your end.

Thank you.



File move failed. C:\WINDOWS\system32\drivers\streamm.sys scheduled to be moved on reboot.
C:\drmHeader.bin moved successfully.
File/Folder not found.
C:\WINDOWS\System32\vt8 moved successfully.
C:\WINDOWS\System32\mp2 moved successfully.
C:\WINDOWS\System32\ez4 moved successfully.
C:\WINDOWS\System32\che9 moved successfully.
C:\WINDOWS\System32\edcA17 moved successfully.

OTMoveIt2 v1.0.15 log created on 01302008_173355



----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53, on 2008-01-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\c3JzMTc4\command.exe
D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
D:\PROGRA~1\CLIMAT~1\execs\Client Interface.exe
D:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
D:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\timesync.exe
C:\WINDOWS\System32\wdfmgr.exe
D:\PROGRA~1\CLIMAT~1\execs\Model.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
D:\Program Files\Napster\napster.exe
D:\Program Files\NavNT\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RunDLL32.exe
D:\Program Files\PokerOffice\bin\javaw.exe
C:\sj650\hpupdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
D:\Program Files\tunebite\tunebite.exe
C:\Program Files\AIM6\aim6.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\DOCUME~1\Smith\MYDOCU~1\ICROSO~1.NET\logonui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Web Buying\v1.8.8\webbuying.exe
C:\Documents and Settings\Smith\Application Data\s?stem32\m?iexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\EndInstall.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [POEngine] "D:\Program Files\PokerOffice\POEngine.exe" D:\Program Files\PokerOffice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [tunebite.exe] D:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Tnnm] "C:\DOCUME~1\Smith\MYDOCU~1\ICROSO~1.NET\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Lmaus] "C:\Documents and Settings\Smith\Application Data\s?stem32\m?iexec.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\program files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... ltt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt2_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud4.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud3.sports.yahoo.com/java/y/nbast8264_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud4.sports.yahoo.com/java/y/nflst8226_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud5.sports.yahoo.com/java/y/nhlst8244_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... i_0727.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includ ... reQual.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.atlas.lsu.edu/acgm/acgm.cab
O21 - SSODL: RunOnceVolume - {c86a8dc8-6016-4295-a603-e16ac3e5d4c0} - C:\WINDOWS\Installer\{c86a8dc8-6016-4295-a603-e16ac3e5d4c0}\RunOnceVolume.dll
O21 - SSODL: DriveRom - {725997bc-47cd-436f-ac43-48eed75b2e3c} - C:\WINDOWS\Installer\{725997bc-47cd-436f-ac43-48eed75b2e3c}\DriveRom.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c3JzMTc4\command.exe
O23 - Service: CPDNService - University of Oxford, Computing Laboratory & Dept of Atmospheric Physics - D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\SAgent4.exe
O23 - Service: TimeSync - Intellisoft AG, Switzerland - C:\WINDOWS\SYSTEM32\timesync.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\EPSON\profsydyb.html

--
End of file - 11922 bytes
wxmansmith
Regular Member
 
Posts: 17
Joined: January 27th, 2008, 3:35 pm

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby Bob4 » January 30th, 2008, 10:01 pm

Did you just install this program ??

Program Files\Dot1XCfg

OK for now we will go after this the old fasion way. :lol:
________________________________

Go to
Start/control panel/add remove programs ;
And Uninstall

Web Buying

Please look for anything else recently installed you do not know what it is.



__________________________________
Rename Hijackthis.exe:

Right click on hijackthis.exe and choose rename:
Rename it to noname:


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O4 - HKCU\..\Run: [Tnnm] "C:\DOCUME~1\Smith\MYDOCU~1\ICROSO~1.NET\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Lmaus] "C:\Documents and Settings\Smith\Application Data\s?stem32\m?iexec.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe



________________________________
Back up the registry


Download ERUNT
Save it to your desktop. Run and install this program.

In the box that opens ONLY choose
System registry.

Then click OK.


Next
__________________________________

Open note pad and copy the text in the box exactly to notepad.


Code: Select all
REGEDIT4 

sc stop cmdservice
sc delete cmdservice

sc stop Network Monitor 
sc delete Network Monitor 




Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.



Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file.

Now double click the file on the desktop
When asked if you want this to merge with the registry.
Click YES!


___________________________________
Reconfigure Windows XP to show hidden files::

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

___________________________________
Safe mode:
Please reboot to safe mode:
After the very first black screen start tapping the
F8 key untill prompted with a list.... choose safe
mode.



___________________________________
Search for and remove
Now I want you to search for and delete the following folders and all their contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD

C:\Program Files\Web Buying

C:\DOCUMENTS AND SETTINGS\Smith\MYDOCUMENTS\ICROSO~1.NET <<< THIS IS A FOLDER The name of the folder will look like ICROSO..delete the entire folder

C:\Documents and Settings\Smith\Application Data\s?stem32 <<< THIS IS NOT YOUR C:/WINDOWS\SYSTEM32 FOLDER.
But in this location (Documents and Settings\Smith\Application Data) will look like a system32 folder. Double check with me if your unsure.

C:\WINDOWS\Installer\{725997bc-47cd-436f-ac43-48eed75b2e3c} <<<folder

C:\WINDOWS\Installer\[/b]{c86a8dc8-6016-4295-a603-e16ac3e5d4c0}[/b] <<<Folder



___________________________________
Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
____________________________________



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Vundo
  • Let me know about the program Dot1XCfg
  • Keep this machine off the internet as much as you are able to until we are finished.
  • Is your Norton Anti Virus up to date and you have a paid subscription ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby Bob4 » January 30th, 2008, 10:13 pm

I need to know something.
Combofix.exe I think you had an old copy is that correct ?
which drive was it on ?
or
Any idea how combo folder got moved to another drive ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby wxmansmith » January 30th, 2008, 10:21 pm

Bob,

I had the old copy of combofix on the C drive on the desktop. I know this because when I first ran the script...i dropped it on combofix and it told me the version was too old or 30 days old or something like that.

So, I had to d/l an updated version. Meanwhile, I canned the old one.

As far as another folder with it in it. I do not think I should have one during an old install. So, it shouldn't be on another drive unless its D...but if it is, its all old.

That help?

Oh and I did not install any program on this machine. I've been staying off it as much as possible for the reasons you mentioned above. So, whatever that is, is something that I either inadvertently clicked last night or d/l'ed in the background while still online.

My version of Nortan is 7.6 and is a Corporate Edition from the University I had attended. Its okay at best since its not the latest version.
wxmansmith
Regular Member
 
Posts: 17
Joined: January 27th, 2008, 3:35 pm

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby Bob4 » January 31st, 2008, 8:11 am

Please try this.
Look for this folder

327882R2FWJFW
and move it to
c:/

Then try a noraml run of combofix liker this.

combofix.exe

2.Close all open windows
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply . (c:\comboFix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combo fix in order to be effecient is going to disconect you from the internet. If when it is done and you can't get back on the internet just restart the computer.

Let me know if that worked and post a copy of the combo fix.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby wxmansmith » January 31st, 2008, 9:51 am

Okay, today's update.

I ran everything as indicated in yesterday's post. I found the 4 directories as indicated and deleted them. I also tried to remove any programs that were last used or created on 1/29 or later. I did find 3 in the add/remove and got rid of them. Although, Web Buying is no longer in there, it did not want to uninstall clean. Kept trying to open an IE window to head to a website for an uninstaller. I have totally shut internet access off to this machine. I'm working from another laptop and moving any program that needs to be downloaded and run to it and move logs back to that machine to post.

So, we will not be on the 'net with it unless you specifically ask me too.

A couple of other notes. I ran Vundo as you'll see below. However, 2 files/viruses could not be deleted. I tried to reboot in safe mode and delete them manually, but could not do it. You will also see them in the HJT log. I tried checking them and Fixing, but that also did not work. It would give a flakey message about making sure all windows are closed for best success, but never remove them.

The ones I'm talking about are:
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\mljhiih.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\nokbmpqv.dll

I will try searching for the weird directory today when I get home from work to see if we can get combofix up and running.

Norton again ran last night, found another 15-20 items. I deleted them permanently this morning when I got up. One file could not be removed, it was the nokbmpqv.dll mentioned above.

Also, ran the registry backup as you asked for. BTW, noticed about 200-300 files in my C: with small numbers 300.tmp and always ending in .tmp. Not sure if this is part of some of the scans or the virus.

As always, thanks for hanging in there with me.


-------------------------------------------------------------------------------------------------------------------
VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 3:57:07 PM 1/13/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 22:38:47 2008-01-30

Listing files found while scanning....

C:\WINDOWS\system32\cbxxxwx.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\icosxdyk.dll
C:\WINDOWS\system32\mljhiih.dll
C:\WINDOWS\System32\nokbmpqv.dll
C:\windows\system32\nokbmpqv.dllbox
C:\WINDOWS\system32\tuvssss.dll
C:\WINDOWS\system32\twtwmeuo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxxxwx.dll
C:\WINDOWS\system32\cbxxxwx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini2
C:\WINDOWS\system32\ddeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\icosxdyk.dll
C:\WINDOWS\system32\icosxdyk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhiih.dll
C:\WINDOWS\system32\mljhiih.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\nokbmpqv.dll
C:\WINDOWS\System32\nokbmpqv.dll Could not be deleted.

Attempting to delete C:\windows\system32\nokbmpqv.dllbox
C:\windows\system32\nokbmpqv.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvssss.dll
C:\WINDOWS\system32\tuvssss.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\twtwmeuo.dll
C:\WINDOWS\system32\twtwmeuo.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljhiih.dll
C:\WINDOWS\system32\mljhiih.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\nokbmpqv.dll
C:\WINDOWS\System32\nokbmpqv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...


-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:26, on 2008-01-31
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\c3JzMTc4\command.exe
D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
D:\PROGRA~1\CLIMAT~1\execs\Client Interface.exe
D:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\timesync.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
D:\Program Files\Napster\napster.exe
D:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\sj650\hpupdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
D:\Program Files\tunebite\tunebite.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\noname.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\mljhiih.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\nokbmpqv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\EndInstall.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [POEngine] "D:\Program Files\PokerOffice\POEngine.exe" D:\Program Files\PokerOffice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [tunebite.exe] D:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\program files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... ltt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt2_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud4.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud3.sports.yahoo.com/java/y/nbast8264_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud4.sports.yahoo.com/java/y/nflst8226_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud5.sports.yahoo.com/java/y/nhlst8244_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... i_0727.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includ ... reQual.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.atlas.lsu.edu/acgm/acgm.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mljhiih - C:\WINDOWS\SYSTEM32\mljhiih.dll
O20 - Winlogon Notify: nokbmpqv - C:\WINDOWS\SYSTEM32\nokbmpqv.dll
O21 - SSODL: RunOnceVolume - {c86a8dc8-6016-4295-a603-e16ac3e5d4c0} - C:\WINDOWS\Installer\{c86a8dc8-6016-4295-a603-e16ac3e5d4c0}\RunOnceVolume.dll (file missing)
O21 - SSODL: DriveRom - {725997bc-47cd-436f-ac43-48eed75b2e3c} - C:\WINDOWS\Installer\{725997bc-47cd-436f-ac43-48eed75b2e3c}\DriveRom.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c3JzMTc4\command.exe
O23 - Service: CPDNService - University of Oxford, Computing Laboratory & Dept of Atmospheric Physics - D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\SAgent4.exe
O23 - Service: TimeSync - Intellisoft AG, Switzerland - C:\WINDOWS\SYSTEM32\timesync.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\EPSON\profsydyb.html

--
End of file - 12047 bytes
wxmansmith
Regular Member
 
Posts: 17
Joined: January 27th, 2008, 3:35 pm

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby Bob4 » January 31st, 2008, 3:38 pm

OK heres what I would like you to do.

run combofix by just double clciking on it the exe. When you receive the error message DO NOT close that message. search for folder -
327882R2FWJFW
.
Copy whats in the box for the search.

( do an all files search) Note down the location of the folder to inform me. Then right click and choose copy... copy that folder to the root of drive C:.
Your Next ComboFix run will be trouble free. !
It specifically targets both of the infections you have.

I think what has happened is you once ran combo from another location /hard drive on this computer and a folder is out of place. May be very much just like some programs will not UNinstal for you because files are in the wrong place.

Hopefully next run we will see a combofix log.

___________________________________
You mentioned that Nortons wasn't the latest version. That's OK .
But do you have a paid subscription for it ?
If not we will get a good free anti virus installed.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby wxmansmith » January 31st, 2008, 9:49 pm

Okay, success!!

The folder is created in C:\SDFix ....interestingly, the folder is only there when running combofix. I can't find it after the program runs or if I want to run it again, I get the same error and the folder 'appears' in this directory.

Either way, I ran it. The first time took longer, did a reboot, but did not produce a log. I ran it again and that time it completed properly. I have included the log file for that created below as well as a new HJT log. I believe the first run through did more 'work', but I do not have anything to show from it.

As far as your antivirus question, I am not paying for a subscription. So, its probably wise to run a new anti-virus program. I have AVG installed, but I have rarely used it if that is one you think I should update and run with.

Let me know what you think of these logs and where to go next:

ComboFix 08-01-30.1 - Smith 2008-01-31 20:27:30.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.585 [GMT -5:00]
Running from: C:\Documents and Settings\Smith\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mljhiih.dll
C:\WINDOWS\system32\nokbmpqv.dll
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
C:\Documents and Settings\LocalService.NT AUTHORITY.014\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY.014\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.014\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService.NT AUTHORITY.014\Application Data\NetMon
C:\Documents and Settings\NetworkService.NT AUTHORITY.014\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService.NT AUTHORITY.014\Application Data\NetMon\log.txt
C:\Documents and Settings\Smith\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Smith\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Smith\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\EPSON\profsydyb.html
C:\Program Files\network monitor
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080130-231519-826.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\c3JzMTc4\
C:\WINDOWS\c3JzMTc4\\asappsrv.dll
C:\WINDOWS\c3JzMTc4\\command.exe
C:\WINDOWS\c3JzMTc4\\waLWgnwb.vbs
C:\WINDOWS\c3JzMTc4\command.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\nokbmpqv.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_MP32
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor




((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-31 20:28 . 2008-01-31 20:28 <DIR> d-------- C:\TEMP\tn3
2008-01-30 22:38 . 2008-01-31 19:10 <DIR> d-------- C:\VundoFix Backups
2008-01-30 22:36 . 2008-01-30 22:36 932 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-29 20:00 . 2008-01-29 20:00 36,864 --a------ C:\WINDOWS\17PHolmes572.exe
2008-01-29 19:54 . 2008-01-29 19:54 <DIR> d-------- C:\WINDOWS\system32\wts1
2008-01-29 19:54 . 2008-01-29 19:54 <DIR> d-------- C:\WINDOWS\system32\vip4
2008-01-29 19:54 . 2008-01-31 03:14 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-29 19:54 . 2008-01-30 03:09 <DIR> d-------- C:\WINDOWS\system32\knis6
2008-01-29 19:54 . 2008-01-30 17:36 <DIR> d-------- C:\WINDOWS\system32\comg9
2008-01-29 19:54 . 2008-01-29 19:54 <DIR> d-------- C:\TEMP\gTiis19
2008-01-29 19:54 . 2008-01-29 19:54 <DIR> d-------- C:\TEMP\cXzz9
2008-01-29 19:54 . 2008-01-29 19:54 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-29 19:29 . 2008-01-29 19:29 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-29 07:09 . 2008-01-29 07:09 <DIR> d-------- C:\Deckard
2008-01-28 20:28 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-28 19:50 . 2008-01-28 19:51 <DIR> d-------- C:\Documents and Settings\Smith\.SunDownloadManager
2008-01-27 18:34 . 2008-01-27 18:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-27 18:34 . 2008-01-27 18:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-01-15 18:59 . 2008-01-28 23:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-15 18:59 . 2008-01-15 18:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-14 06:51 . 2008-01-14 06:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 15:52 . 2008-01-28 05:08 4,194,474 --a------ C:\piplog.log.old
2008-01-13 08:22 . 2008-01-13 08:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-01-13 08:21 . 2008-01-14 19:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-13 08:21 . 2008-01-13 08:21 <DIR> d-------- C:\Documents and Settings\Smith\Application Data\SUPERAntiSpyware.com
2008-01-13 08:20 . 2008-01-13 08:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 22:17 . 2008-01-12 22:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 19:59 . 2008-01-12 20:59 317 --a------ C:\WINDOWS\wininit.ini
2008-01-12 11:52 . 2008-01-28 23:05 <DIR> d-------- C:\Program Files\CCleaner
2008-01-12 11:51 . 2008-01-12 19:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-12 10:40 . 2008-01-12 21:27 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rabio
2008-01-12 10:15 . 2008-01-12 10:15 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2008-01-12 10:13 . 2008-01-12 10:13 <DIR> d-------- C:\TEMP\Ryuan1
2008-01-12 10:13 . 2008-01-12 10:13 86,016 --a------ C:\WINDOWS\system32\drivers\streamm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 00:23 --------- d-----w C:\Program Files\EPSON
2008-01-31 04:15 --------- d-----w C:\Program Files\Adaptec
2008-01-31 02:33 --------- d-----w C:\Program Files\Google
2008-01-29 01:28 --------- d-----w C:\Program Files\Java
2008-01-27 22:49 --------- d-----w C:\Program Files\Viewpoint
2008-01-27 22:49 --------- d-----w C:\Documents and Settings\Smith\Application Data\Viewpoint
2008-01-27 22:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-01-15 12:10 --------- d-----w C:\Documents and Settings\Smith\Application Data\tunebite
2008-01-13 23:17 4,154 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-13 00:40 --------- d-----w C:\Program Files\AIM6
2007-07-08 12:34 25,032 ----a-w C:\Documents and Settings\Smith\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 04:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2002-06-21 16:37 61,440 ----a-w C:\Program Files\Registered.dll
2002-06-21 16:33 24,576 ----a-w C:\Program Files\EnDeCrypt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 08:00 176178]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-06-10 19:10 1003520]
"AnyDVD"="D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 12:51 1600448]
"tunebite.exe"="D:\Program Files\tunebite\tunebite.exe" [2006-02-15 14:16 350720]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-07-28 21:50 684032]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-05-24 08:50 28672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-07-25 14:03 180269]
"HGTXPEI"="C:\WINDOWS\EndInstall.exe" [ ]
"SoundFusion"="hercplgs.cpl" [2001-10-04 14:05 1761280 C:\WINDOWS\system32\hercplgs.cpl]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 15:00 99840]
"POEngine"="D:\Program Files\PokerOffice\POEngine.exe" [2005-07-13 09:17 18944]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NapsterShell"="D:\Program Files\Napster\napster.exe" [2007-11-08 17:58 323216]
"vptray"="D:\Program Files\NavNT\vptray.exe" [2001-09-24 06:59 73728]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"VF0060 STISvc"="V0060Pin.dll" [2004-10-31 20:00 36864 C:\WINDOWS\system32\V0060Pin.dll]
"hp Update 3300C"="C:\sj650\hpupdate.exe" [2002-01-31 09:38 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

C:\Documents and Settings\Smith\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16 2913584]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\IAccess\Qualcomm\Eudora\EuShlExt.dll [2001-04-12 18:05 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RunOnceVolume"= {c86a8dc8-6016-4295-a603-e16ac3e5d4c0} - C:\WINDOWS\Installer\{c86a8dc8-6016-4295-a603-e16ac3e5d4c0}\RunOnceVolume.dll [ ]
"DriveRom"= {725997bc-47cd-436f-ac43-48eed75b2e3c} - C:\WINDOWS\Installer\{725997bc-47cd-436f-ac43-48eed75b2e3c}\DriveRom.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

R0 Hpt3xxNT;Hpt3xxNT;C:\WINDOWS\System32\DRIVERS\Hpt3xxNT.sys [2001-10-17 20:37]
R1 streamm;streamm;C:\WINDOWS\System32\drivers\streamm.sys [2008-01-12 10:13]
R1 VIAPFD;VIAPFD;C:\WINDOWS\System32\Drivers\VIAPFD.SYS [2001-05-04 02:24]
R2 CPDNService;CPDNService;D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE [2004-02-09 15:17]
R2 TimeSync;TimeSync;C:\WINDOWS\SYSTEM32\timesync.exe [2002-10-16 22:33]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\System32\DRIVERS\ElbyVCD.sys []
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\System32\DRIVERS\FA312nd5.sys [2001-08-17 07:12]
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\System32\DRIVERS\lgatbus.sys [2006-05-20 01:00]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\System32\DRIVERS\lgatmdm.sys [2006-05-20 01:00]
S3 V0060VID;Creative WebCam Live! Ultra;C:\WINDOWS\System32\DRIVERS\V0060Vid.sys [2005-02-02 03:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-31 09:45:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 20:31:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> D:\Program Files\PokerOffice\bin\pnhimp.Dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
D:\Program Files\NavNT\defwatch.exe
D:\PROGRA~1\CLIMAT~1\execs\Client Interface.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\SYSTEM32\timesync.exe
C:\WINDOWS\System32\wdfmgr.exe
D:\PROGRA~1\CLIMAT~1\execs\Model.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
D:\Program Files\Napster\napster.exe
D:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\sj650\hpupdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
D:\Program Files\tunebite\tunebite.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
D:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\locator.exe
.
**************************************************************************
.
Completion time: 2008-01-31 20:32:37 - machine was rebooted [Smith]
ComboFix-quarantined-files.txt 2008-02-01 01:32:34
-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:35, on 2008-01-31
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
D:\Program Files\NavNT\defwatch.exe
D:\PROGRA~1\CLIMAT~1\execs\Client Interface.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\timesync.exe
D:\PROGRA~1\CLIMAT~1\execs\Model.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
D:\Program Files\Napster\napster.exe
D:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\sj650\hpupdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
D:\Program Files\tunebite\tunebite.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
D:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\noname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\EndInstall.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [POEngine] "D:\Program Files\PokerOffice\POEngine.exe" D:\Program Files\PokerOffice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [tunebite.exe] D:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\program files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... ltt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt2_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud4.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud3.sports.yahoo.com/java/y/nbast8264_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud4.sports.yahoo.com/java/y/nflst8226_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud5.sports.yahoo.com/java/y/nhlst8244_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... i_0727.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includ ... reQual.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.atlas.lsu.edu/acgm/acgm.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: RunOnceVolume - {c86a8dc8-6016-4295-a603-e16ac3e5d4c0} - C:\WINDOWS\Installer\{c86a8dc8-6016-4295-a603-e16ac3e5d4c0}\RunOnceVolume.dll (file missing)
O21 - SSODL: DriveRom - {725997bc-47cd-436f-ac43-48eed75b2e3c} - C:\WINDOWS\Installer\{725997bc-47cd-436f-ac43-48eed75b2e3c}\DriveRom.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CPDNService - University of Oxford, Computing Laboratory & Dept of Atmospheric Physics - D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\SAgent4.exe
O23 - Service: TimeSync - Intellisoft AG, Switzerland - C:\WINDOWS\SYSTEM32\timesync.exe

--
End of file - 11268 bytes
wxmansmith
Regular Member
 
Posts: 17
Joined: January 27th, 2008, 3:35 pm

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby Bob4 » January 31st, 2008, 11:21 pm

________________________________________
Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\piplog.log.old
C:\WINDOWS\system32\jpewocmz.ini
C:\TEMP\Ryuan1
C:\WINDOWS\system32\drivers\streamm.sys





Folder::
C:\TEMP\tn3
C:\WINDOWS\system32\wts1
C:\WINDOWS\system32\vip4
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\knis6
C:\WINDOWS\system32\comg9
C:\TEMP\gTiis19
C:\TEMP\cXzz9
C:\WINDOWS\Installer\{725997bc-47cd-436f-ac43-48eed75b2e3c}\DriveRom.dll
C:\WINDOWS\Installer\{c86a8dc8-6016-4295-a603-e16ac3e5d4c0}\RunOnceVolume.dll


Driver::
streamm

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RunOnceVolume"= -
"DriveRom"= -


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.

__________________________________



OK your anti virus.
You have Nortons installed but you do not have a paid subscription. Really bad idea. Obvious by now I would think

AVG anti Spware is not an anti virus program... It's a good program but works differently.

Heres what you need to do.

Download one of these now but DO NOT install it yet.

AVG FREE

Avast

Avira AntiVir Personal Edition Classic


Uninstall Nortons anti virus program. If you have trouble doing so
go to here
Download and run the appropiate tool for you norton product as described by year..



Now install the new anti virus program you have chosen.
Let it update .


_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix
  • Let me know how thingas are running.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby wxmansmith » January 31st, 2008, 11:56 pm

Okay...Combofix ran...had to run twice since it blue screened the first time on me. However, I have the log below. I also have a new HJT log.

I'm in the process of installing the new Anti-Virus software. Its not that I didn't have a pay subscription. The product still would update definitions everyday, but I am just not comfortable with this version. To much seems to slip through the cracks. So, I'll give AVG a shot.

As far as pop-ups go, so far, so good. My desktop icons still are highlighted blue. But, I'm wondering if that is something I'm just going to have to fix manually.

I'm going to run the anti-virus overnight. I'll let you know what it finds. Also, if you need me to do anything else, let me know.

I'm going to continue to keep it off the network, except for updating definitions.

ComboFix 08-01-30.1 - Smith 2008-01-31 22:37:52.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.602 [GMT -5:00]
Running from: C:\Documents and Settings\Smith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Smith\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\piplog.log.old
C:\TEMP\Ryuan1
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\streamm.sys
C:\WINDOWS\system32\jpewocmz.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\streamm.sys
.
---- Previous Run -------
.
C:\piplog.log.old
C:\TEMP\cXzz9
C:\TEMP\gTiis19
C:\TEMP\gTiis19\lTig.log
C:\temp\tn3
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\comg9
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\knis6
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\vip4
C:\WINDOWS\system32\vip4\hoftidndll3.exe
C:\WINDOWS\system32\wts1
C:\WINDOWS\system32\wts1\ovstadcom2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_STREAMM
-------\streamm


-------\streamm


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-31 22:25 . 2008-01-31 22:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-30 22:38 . 2008-01-31 19:10 <DIR> d-------- C:\VundoFix Backups
2008-01-29 19:29 . 2008-01-29 19:29 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-29 07:09 . 2008-01-29 07:09 <DIR> d-------- C:\Deckard
2008-01-28 20:28 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-28 19:50 . 2008-01-28 19:51 <DIR> d-------- C:\Documents and Settings\Smith\.SunDownloadManager
2008-01-27 18:34 . 2008-01-27 18:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-27 18:34 . 2008-01-27 18:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-01-15 18:59 . 2008-01-28 23:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-15 18:59 . 2008-01-15 18:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-14 06:51 . 2008-01-14 06:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 08:22 . 2008-01-13 08:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-01-13 08:21 . 2008-01-14 19:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-13 08:21 . 2008-01-13 08:21 <DIR> d-------- C:\Documents and Settings\Smith\Application Data\SUPERAntiSpyware.com
2008-01-13 08:20 . 2008-01-13 08:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 22:17 . 2008-01-12 22:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 19:59 . 2008-01-12 20:59 317 --a------ C:\WINDOWS\wininit.ini
2008-01-12 11:52 . 2008-01-28 23:05 <DIR> d-------- C:\Program Files\CCleaner
2008-01-12 11:51 . 2008-01-12 19:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-12 10:40 . 2008-01-12 21:27 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rabio
2008-01-12 10:13 . 2008-01-12 10:13 <DIR> d-------- C:\TEMP\Ryuan1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 00:23 --------- d-----w C:\Program Files\EPSON
2008-01-31 04:15 --------- d-----w C:\Program Files\Adaptec
2008-01-31 02:33 --------- d-----w C:\Program Files\Google
2008-01-29 01:28 --------- d-----w C:\Program Files\Java
2008-01-27 22:49 --------- d-----w C:\Program Files\Viewpoint
2008-01-27 22:49 --------- d-----w C:\Documents and Settings\Smith\Application Data\Viewpoint
2008-01-27 22:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-01-15 12:10 --------- d-----w C:\Documents and Settings\Smith\Application Data\tunebite
2007-12-13 00:40 --------- d-----w C:\Program Files\AIM6
2007-07-08 12:34 25,032 ----a-w C:\Documents and Settings\Smith\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 04:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2002-06-21 16:37 61,440 ----a-w C:\Program Files\Registered.dll
2002-06-21 16:33 24,576 ----a-w C:\Program Files\EnDeCrypt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 08:00 176178]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-06-10 19:10 1003520]
"AnyDVD"="D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-10-28 12:51 1600448]
"tunebite.exe"="D:\Program Files\tunebite\tunebite.exe" [2006-02-15 14:16 350720]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-07-28 21:50 684032]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-05-24 08:50 28672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-07-25 14:03 180269]
"HGTXPEI"="C:\WINDOWS\EndInstall.exe" [ ]
"SoundFusion"="hercplgs.cpl" [2001-10-04 14:05 1761280 C:\WINDOWS\system32\hercplgs.cpl]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 15:00 99840]
"POEngine"="D:\Program Files\PokerOffice\POEngine.exe" [2005-07-13 09:17 18944]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NapsterShell"="D:\Program Files\Napster\napster.exe" [2007-11-08 17:58 323216]
"vptray"="D:\Program Files\NavNT\vptray.exe" [2001-09-24 06:59 73728]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"VF0060 STISvc"="V0060Pin.dll" [2004-10-31 20:00 36864 C:\WINDOWS\system32\V0060Pin.dll]
"hp Update 3300C"="C:\sj650\hpupdate.exe" [2002-01-31 09:38 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

C:\Documents and Settings\Smith\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16 2913584]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\IAccess\Qualcomm\Eudora\EuShlExt.dll [2001-04-12 18:05 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

R0 Hpt3xxNT;Hpt3xxNT;C:\WINDOWS\System32\DRIVERS\Hpt3xxNT.sys [2001-10-17 20:37]
R1 VIAPFD;VIAPFD;C:\WINDOWS\System32\Drivers\VIAPFD.SYS [2001-05-04 02:24]
R2 CPDNService;CPDNService;D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE [2004-02-09 15:17]
R2 TimeSync;TimeSync;C:\WINDOWS\SYSTEM32\timesync.exe [2002-10-16 22:33]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\System32\DRIVERS\ElbyVCD.sys []
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\System32\DRIVERS\FA312nd5.sys [2001-08-17 07:12]
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\System32\DRIVERS\lgatbus.sys [2006-05-20 01:00]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\System32\DRIVERS\lgatmdm.sys [2006-05-20 01:00]
S3 V0060VID;Creative WebCam Live! Ultra;C:\WINDOWS\System32\DRIVERS\V0060Vid.sys [2005-02-02 03:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-31 09:45:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 22:41:46
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> D:\Program Files\PokerOffice\bin\pnhimp.Dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
D:\Program Files\NavNT\defwatch.exe
D:\PROGRA~1\CLIMAT~1\execs\Client Interface.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\SYSTEM32\timesync.exe
C:\WINDOWS\System32\wdfmgr.exe
D:\PROGRA~1\CLIMAT~1\execs\Model.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
D:\Program Files\Napster\napster.exe
D:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\sj650\hpupdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
D:\Program Files\PokerOffice\bin\javaw.exe
D:\Program Files\tunebite\tunebite.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\locator.exe
.
**************************************************************************
.
Completion time: 2008-01-31 22:43:24 - machine was rebooted [Smith]
ComboFix-quarantined-files.txt 2008-02-01 03:43:21
ComboFix2.txt 2008-02-01 01:32:37


-----------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47, on 2008-01-31
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
D:\Program Files\NavNT\defwatch.exe
D:\PROGRA~1\CLIMAT~1\execs\Client Interface.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\timesync.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
D:\Program Files\Napster\napster.exe
D:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\sj650\hpupdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
D:\Program Files\PokerOffice\bin\javaw.exe
D:\Program Files\tunebite\tunebite.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\noname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\EndInstall.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [POEngine] "D:\Program Files\PokerOffice\POEngine.exe" D:\Program Files\PokerOffice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [tunebite.exe] D:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Travelaxe - {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - C:\Program Files\Travelaxe\Travelaxe.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\program files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/c ... ltt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt2_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud4.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab
O16 - DPF: Yahoo! NBA StatTracker - http://aud3.sports.yahoo.com/java/y/nbast8264_x.cab
O16 - DPF: Yahoo! NFL StatTracker - http://aud4.sports.yahoo.com/java/y/nflst8226_x.cab
O16 - DPF: Yahoo! NHL StatTracker - http://aud5.sports.yahoo.com/java/y/nhlst8244_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt0_x.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... i_0727.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includ ... reQual.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.atlas.lsu.edu/acgm/acgm.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CPDNService - University of Oxford, Computing Laboratory & Dept of Atmospheric Physics - D:\PROGRA~1\CLIMAT~1\execs\CPDNSE~1.EXE
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\SAgent4.exe
O23 - Service: TimeSync - Intellisoft AG, Switzerland - C:\WINDOWS\SYSTEM32\timesync.exe

--
End of file - 10783 bytes
wxmansmith
Regular Member
 
Posts: 17
Joined: January 27th, 2008, 3:35 pm

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby Bob4 » February 1st, 2008, 7:57 am

Delete this one folder.
C:\TEMP\Ryuan1


____________________________
This program needs to be uninstalled and reinstalled.

C:\Program Files\Google\GoogleToolbarNotifier

______________________________

Post a new HJT log once you have a new Anti Virus program in place and Nortons removed.

I do not need to see AVG's log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Help! malware.bnkf and trojan.win2.pakes.bxx HJT

Unread postby wxmansmith » February 1st, 2008, 10:50 am

I deleted this folder without issue: C:\TEMP\Ryuan1

In looking through my directories...this folder and application (from Add/Remove programs) does not exist

C:\Program Files\Google\GoogleToolbarNotifier

I did a search for it and did find a directory with it in ..\Application Data\Real\GoogleToolbarNotifier

That also contained GoogleToolbarNotifier.exe

Unless you feel different, I'm going to delete all of these files. I notice it is in the HJT log too. Would you like me to remove entries form their as well? I'll wait to hear until I move on this item.

Uninstalling the Norton AV has been a challenge. Its a 2000 version of the program and the 'uninstaller' does not work. So,, i found instructions from the site you sent on how to do it manually and edit the registry, etc. I'll be working on that this evening.

I did run a scan with AVG and the only items it found were a .zip file that CFscript created to be uploaded for further examination. So, I'm encourage to say that its not finding additional problems.

Also, I'm not seeing pop-ups trying to get on the screen anymore...so we are definitely headed in the right direction.

~Steve
wxmansmith
Regular Member
 
Posts: 17
Joined: January 27th, 2008, 3:35 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware