Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected Laptop

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected Laptop

Unread postby Towel » March 12th, 2008, 11:25 pm

Hello all once again. My lapop is infected with adware and a possible trojan. If I remember right, just right now when I turned on my laptop, my scanner just removed a "Baja Trojan" (I think that was the name). Anyway now I keep seeing random Ads popup on the internet. I keep getting popups saying I have viruses and that I should run a "scan". Of course these popups are not from my own virus scanner but from the internet, which I do no trust. Below is my log. Thanks for the help!
==========================

Logfile of HijackThis v1.99.1
Scan saved at 8:14:03 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\S2V2aW4\command.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\MCROSO~1\nopdb.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Web Buying\v1.8.8\webbuying.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\?ystem\e?plorer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [BM9795776d] Rundll32.exe "C:\WINDOWS\system32\mcjpiwwm.dll",s
O4 - HKLM\..\Run: [94a644f1] rundll32.exe "C:\WINDOWS\system32\nkbfwahw.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\MCROSO~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Bjwe] "C:\Program Files\?ystem\e?plorer.exe"
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2V2aW4\command.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am
Advertisement
Register to Remove

Re: Infected Laptop

Unread postby dan12 » March 13th, 2008, 6:01 pm

Hi, and welcome to malwareremoval forums

I'm dan12, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Infected Laptop

Unread postby dan12 » March 13th, 2008, 6:03 pm

Your version of highjackthis is out of date, remove "HijackThis v1.99.1" via add and remove programs in control panel.


Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

* Doubleclick HJTInstall.exe to install it.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

please post new HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Infected Laptop

Unread postby Towel » March 13th, 2008, 11:35 pm

Thanks for your help Dan. Below is my new HJT log from the latest version of HJT. I must say it was quite a struggle to post this because my laptop is very slow and I get constant popups.
===========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:05 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\S2V2aW4\command.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\MCROSO~1\nopdb.exe
C:\Program Files\Web Buying\v1.8.8\webbuying.exe
C:\Program Files\?ystem\e?plorer.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\Documents and Settings\Kevin\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Kevin\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [BM9795776d] Rundll32.exe "C:\WINDOWS\system32\npxibqem.dll",s
O4 - HKLM\..\Run: [94a644f1] rundll32.exe "C:\WINDOWS\system32\ighwlleh.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\MCROSO~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Bjwe] "C:\Program Files\?ystem\e?plorer.exe"
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Kevin\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Kevin\Application Data\Microsoft\Windows\rayiou.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2V2aW4\command.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12028 bytes
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: Infected Laptop

Unread postby dan12 » March 14th, 2008, 3:13 am

I believe we have some files hiding from us, I'm going to flush them out.

Please go to the C:\Program Files\HijackThis\HijackThis.exe. Right click on the HijackThis.exe file and select "Rename". Rename it removal.exe,

Then run HijackThis again and post a new log please.

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Infected Laptop

Unread postby Towel » March 18th, 2008, 10:26 pm

Hi sorry for the slow reply. You are right. There were some hidden files.


=============================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:42 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\S2V2aW4\command.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\MCROSO~1\nopdb.exe
C:\Program Files\Web Buying\v1.8.8\webbuying.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\?ystem\e?plorer.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\Documents and Settings\Kevin\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Kevin\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: {5e1e5665-1895-975b-e9d4-114d42947320} - {02374924-d411-4d9e-b579-59815665e1e5} - C:\WINDOWS\system32\lduwnnpc.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {29b0598a-b6bd-4766-a1ad-8b0d1f41def8} - C:\WINDOWS\system32\mvfqonj.dll
O2 - BHO: (no name) - {3547CACF-0371-78A8-5010-2900CEC58AC1} - C:\WINDOWS\system32\yvqam.dll
O2 - BHO: (no name) - {3615EE58-6F38-47BA-9DD9-C99BD611C6A6} - C:\WINDOWS\system32\jkhedbc.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7239AE41-9010-459D-8980-C7BE08649223} - C:\Program Files\Windows Plus\jilawixy89104.dll
O2 - BHO: 0 - {810BE0A6-6064-4429-99BE-E686D1D1CFD9} - C:\Program Files\Online Services\lavupaxo947.dll
O2 - BHO: (no name) - {93EA1F47-9EF1-416F-8237-63B98FC0924A} - C:\WINDOWS\system32\gebcc.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [94a644f1] rundll32.exe "C:\WINDOWS\system32\ighwlleh.dll",b
O4 - HKLM\..\Run: [BM9795776d] Rundll32.exe "C:\WINDOWS\system32\npxibqem.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\MCROSO~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Bjwe] "C:\Program Files\?ystem\e?plorer.exe"
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Kevin\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Kevin\Application Data\Microsoft\Windows\rayiou.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: jkhedbc - jkhedbc.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2V2aW4\command.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13422 bytes
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: Infected Laptop

Unread postby dan12 » March 19th, 2008, 3:31 am

Ok, I need you you to post regularly to clear this infection up as we will end up going round in circles, as this will just keep mutating.

Download and Install CCleaner
  • Download CCleaner from here . Choose the Slim version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish

-------------------------------

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

----------------------------------

Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.

____________

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Infected Laptop

Unread postby Towel » March 19th, 2008, 11:13 pm

Hi Dan thank you for your help. Below is my new HJT log followed by the ComboFix log.
========================================
HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:02 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\MCROSO~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Bjwe] "C:\Program Files\?ystem\e?plorer.exe"
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: jkhedbc - jkhedbc.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10807 bytes
==============================
ComboFix Log

ComboFix 08-03-18.1 - Kevin 2008-03-19 19:47:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.425 [GMT -7:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kevin\Application Data\WinTouch
C:\Documents and Settings\Kevin\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Kevin\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Kevin\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\inetget2\MTE3MTk6ODoxNg.exe
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\Online Services\lavupaxo.dll
C:\Program Files\Online Services\lavupaxo947.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\Temporary
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.8\wbuninst.exe
C:\Program Files\web buying\v1.8.8\webbuying.exe
C:\Program Files\Windows Plus\jilawixy89104.dll
C:\Program Files\ystem~1
C:\Program Files\ystem~1\e?plorer.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\S2V2aW4\
C:\WINDOWS\S2V2aW4\\asappsrv.dll
C:\WINDOWS\S2V2aW4\\command.exe
C:\WINDOWS\S2V2aW4\\mZpZuqb.vbs
C:\WINDOWS\S2V2aW4\command.exe
C:\WINDOWS\system32\aaxxcafx.dll
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\crusoee.sys
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\hellwhgi.ini
C:\WINDOWS\system32\iadaexap.dll
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\iDlo01\iDlo011065.exe
C:\WINDOWS\system32\ighwlleh.dll
C:\WINDOWS\system32\lduwnnpc.dll
C:\WINDOWS\system32\mcjpiwwm.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mcroso~1\M?crosoft\
C:\WINDOWS\system32\mcroso~1\nopdb.exe
C:\WINDOWS\system32\mcvaemvs.dll
C:\WINDOWS\system32\mvfqonj.dll
C:\WINDOWS\system32\npxibqem.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qiwiugah.dll
C:\WINDOWS\system32\qlspdvho.dll
C:\WINDOWS\system32\urqnmjh.dll
C:\WINDOWS\system32\xfacxxaa.ini
C:\WINDOWS\system32\yvqam.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_CRUSOEE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_crusoee
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-19 19:41 . 2008-03-19 19:41 <DIR> d-------- C:\Program Files\CPV
2008-03-19 19:21 . 2008-03-19 19:21 <DIR> d-------- C:\Program Files\CCleaner
2008-03-12 20:05 . 2008-03-13 20:14 1,320,173 ---hs---- C:\WINDOWS\system32\whawfbkn.ini
2008-03-12 01:15 . 2008-03-12 01:15 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-12 00:55 . 2008-03-19 19:26 <DIR> d-------- C:\Program Files\nvcoi
2008-03-11 00:56 . 2008-03-11 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-11 00:51 . 2008-03-11 00:55 <DIR> d-------- C:\Program Files\Dell Support Center
2008-03-11 00:51 . 2008-03-11 00:51 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-03-10 23:57 . 2008-03-10 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-10 23:56 . 2008-03-10 23:56 <DIR> d-------- C:\WINDOWS\system32\typ2
2008-03-10 23:56 . 2008-03-11 00:01 <DIR> d-------- C:\WINDOWS\system32\sbc2
2008-03-10 23:56 . 2008-03-10 23:56 <DIR> d-------- C:\WINDOWS\system32\lows8
2008-03-10 23:56 . 2008-03-10 23:56 <DIR> d-------- C:\WINDOWS\system32\ech5
2008-03-10 23:56 . 2008-03-10 23:56 <DIR> d-------- C:\WINDOWS\system32\dr6
2008-03-10 23:56 . 2008-03-19 19:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 02:54 --------- d-----w C:\Program Files\Windows Plus
2008-03-11 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-10-25 05:30 88 --sh--r C:\WINDOWS\system32\649B6611F4.sys
2007-10-25 05:30 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
2008-03-19 19:41 51200 --a------ C:\Program Files\CPV\CPV7.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 00:24 20480]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 17:38 20553]
"Aim6"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49 4670968]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 08:09 171464]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Uaol"="C:\WINDOWS\system32\MCROSO~1\nopdb.exe" [ ]
"Bjwe"="C:\Program Files\?ystem\e?plorer.exe" [ ]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-12 00:55 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-15 00:38 7118848]
"nwiz"="nwiz.exe" [2005-12-15 00:38 1519616 C:\WINDOWS\system32\nwiz.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 02:56 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 19:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 08:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 14:30 823362]
"HostManager"="C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe" [2006-04-20 10:10 50792]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir [2008-03-10 23:56:14 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-26 11:54:54 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhedbc]
jkhedbc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147155041\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147155041\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-25 20:37:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 19:57:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-19 19:59:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 02:59:33
.
2008-03-12 08:15:05 --- E O F ---
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: Infected Laptop

Unread postby dan12 » March 20th, 2008, 9:37 pm

Optional - VIEWPOINT MANAGER
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
Additional info:Here
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Your call.

___________________

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint.
Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player.
The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information.
CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'

___________________

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\WINDOWS\system32\649B6611F4.sys
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\system32\whawfbkn.ini
C:\WINDOWS\system32\MRT.INI >


If Jotti is too busy please try Virustotal

_________________


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\MCROSO~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Bjwe] "C:\Program Files\?ystem\e?plorer.exe"
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir
O20 - Winlogon Notify: jkhedbc - jkhedbc.dll (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit
__________



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\system32\MCROSO~1\nopdb.exe
C:\WINDOWS\system32\typ2
C:\WINDOWS\system32\sbc2
C:\WINDOWS\system32\lows8
C:\WINDOWS\system32\ech5
C:\WINDOWS\system32\dr6

    Folder::
"C:\Program Files\?ystem"
"C:\Program Files\nvcoi"

    Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-
"Uaol"=-
"Bjwe"=-
"nvcoi"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhedbc]

    Driver::

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot your computer. Start HiJackThis
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

_____________________


Please do an online scan with Kaspersky WebScanner. (You will need to use Internet Explorer to run this scan)

On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.

Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • Kaspersky scan log
  • New highjackthis log
  • uninstall list

Thanks dan

Edit made to adjust fix
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Infected Laptop

Unread postby Towel » March 21st, 2008, 4:57 pm

Hi Dan, thanks again for all of your help. I appreciate your time and effort. Below is the information you requested:


1. Jotti File Analysis (all 3 files scanned and passed with no abnormalities)

C:\WINDOWS\system32\649B6611F4.sys
C:\WINDOWS\system32\whawfbkn.ini
C:\WINDOWS\system32\MRT.INI

======================================================

2. ComboFix

ComboFix 08-03-18.1 - Kevin 2008-03-21 0:07:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.541 [GMT -7:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\dr6
C:\WINDOWS\system32\ech5
C:\WINDOWS\system32\lows8
C:\WINDOWS\system32\MCROSO~1\nopdb.exe
C:\WINDOWS\system32\sbc2
C:\WINDOWS\system32\typ2
.

((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-19 19:41 . 2008-03-21 00:04 <DIR> d-------- C:\Program Files\CPV
2008-03-19 19:21 . 2008-03-19 19:21 <DIR> d-------- C:\Program Files\CCleaner
2008-03-12 20:05 . 2008-03-13 20:14 1,320,173 ---hs---- C:\WINDOWS\system32\whawfbkn.ini
2008-03-12 01:15 . 2008-03-12 01:15 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-12 00:55 . 2008-03-19 19:26 <DIR> d-------- C:\Program Files\nvcoi
2008-03-11 00:56 . 2008-03-11 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-11 00:51 . 2008-03-11 00:55 <DIR> d-------- C:\Program Files\Dell Support Center
2008-03-11 00:51 . 2008-03-11 00:51 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-03-10 23:57 . 2008-03-10 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-10 23:56 . 2008-03-10 23:56 <DIR> d-------- C:\WINDOWS\system32\typ2
2008-03-10 23:56 . 2008-03-11 00:01 <DIR> d-------- C:\WINDOWS\system32\sbc2
2008-03-10 23:56 . 2008-03-10 23:56 <DIR> d-------- C:\WINDOWS\system32\lows8
2008-03-10 23:56 . 2008-03-10 23:56 <DIR> d-------- C:\WINDOWS\system32\ech5
2008-03-10 23:56 . 2008-03-10 23:56 <DIR> d-------- C:\WINDOWS\system32\dr6
2008-03-10 23:56 . 2008-03-19 19:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 06:24 --------- d-----w C:\Program Files\Viewpoint
2008-03-21 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-20 02:54 --------- d-----w C:\Program Files\Windows Plus
2008-03-11 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-25 05:30 88 --sh--r C:\WINDOWS\system32\649B6611F4.sys
2007-10-25 05:30 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 00:24 20480]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 17:38 20553]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49 4670968]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 08:09 171464]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-15 00:38 7118848]
"nwiz"="nwiz.exe" [2005-12-15 00:38 1519616 C:\WINDOWS\system32\nwiz.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 02:56 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 19:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 08:44 839680]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 14:30 823362]
"HostManager"="C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe" [2006-04-20 10:10 50792]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-26 11:54:54 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147155041\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147155041\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-25 20:37:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 00:09:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-21 0:09:43
ComboFix-quarantined-files.txt 2008-03-21 07:09:41
ComboFix2.txt 2008-03-20 02:59:37
.
2008-03-12 08:15:05 --- E O F ---



======================================================

3. Malwarebytes log

Malwarebytes' Anti-Malware 1.09
Database version: 518

Scan type: Full Scan (C:\|)
Objects scanned: 86964
Time elapsed: 28 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 93

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{89cc26bc-9256-4cca-a7f3-b9d6c48dba71} (Adware.RABCO) -> No action taken.
HKEY_CLASSES_ROOT\rabio.rabiobho (Adware.RABCO) -> No action taken.
HKEY_CLASSES_ROOT\rabio.rabiobho.1 (Adware.RABCO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{923ca88a-ae69-49af-bf65-9a3123b14ccb} (Adware.RABCO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{8c36d71b-0a48-4d38-9def-2a2a2669d0c9} (Adware.RABCO) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\nvcoi (Trojan.Stars) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\NoDNS (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Rabio.RabioBHO (Adware.RABCO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RABCO (Adware.RABCO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\RABCO (Adware.RABCO) -> No action taken.
HKEY_CURRENT_USER\Software\RABCO (Adware.RABCO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\RABCO (Adware.RABCO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Rabio.DLL (Adware.RABCO) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinTouch (Adware.WinPop) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\nvcoi (Trojan.Stars) -> No action taken.
C:\WINDOWS\system32\dr6 (Adware.Rabio) -> No action taken.
C:\WINDOWS\system32\ech5 (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\lows8 (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\sbc2 (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\typ2 (Trojan.Downloader) -> No action taken.
C:\Program Files\CPV (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> No action taken.

Files Infected:
C:\Documents and Settings\Kevin\Application Data\Microsoft\Windows\rayiou.exe (Trojan.Agent) -> No action taken.
C:\Program Files\HijackThis\backups\backup-20080321-000445-486.dll (Trojan.Downloader) -> No action taken.
C:\Program Files\nvcoi\nvcoi.exe (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\Documents and Settings\Kevin\Application Data\WinTouch\WTUninstaller.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir (Adware.PurityScan) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir (Adware.PurityScan) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\InetGet2\MTE3MTk6ODoxNg.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir (Trojan.Insider) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir (Trojan.DNSChanger) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\NoDNS\NoDNS.exe.vir (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Online Services\lavupaxo.dll.vir (Trojan.BHO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Online Services\lavupaxo947.dll.vir (Trojan.BHO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir (Adware.ClickSpring) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir (Adware.RABCO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir (Adware.RABCO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\RABCO\un_RABCOSetup_16230.exe.vir (Adware.Rabio) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\RABCO\X_RABCOse.exe.vir (Adware.RABCO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.8.8\webbuying.exe.vir (Adware.WebBuying) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Windows Plus\jilawixy89104.dll.vir (Adware.TTC) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b116.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b152.exe.vir (Trojan.Insider) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b153.exe.vir (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir (Trojan.Matcash) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b155.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir (Trojan.DownLoader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir (Trojan.BHO) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir (Malware.Trace) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\S2V2aW4\asappsrv.dll.vir (AdWare.CommAd) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\S2V2aW4\command.exe.vir (AdWare.CommAd) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir (Adware.TargetSaver) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir (Adware.TargetSaver) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\mvfqonj.dll.vir (Adware.Agent) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\yvqam.dll.vir (Adware.ClickSpring) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\iDlo01\iDlo011065.exe.vir (Trojan.DownLoader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\MCROSO~1\nopdb.exe.vir (Adware.Purityscan) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP100\A0015242.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP100\A0015244.exe (Adware.WebBuying) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP100\A0015255.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP102\A0015283.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP102\A0015299.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015326.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015329.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015348.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015381.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015412.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015414.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015418.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015419.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015526.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015527.exe (Trojan.Insider) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015529.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015532.dll (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015534.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015535.exe (Adware.Rabio) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015536.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015537.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015538.exe (Trojan.DNSChanger) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015540.dll (Adware.ClickSpring) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015542.exe (Adware.WebBuying) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015543.exe (Adware.ClickSpring) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015544.exe (Adware.Purityscan) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015546.exe (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015548.exe (Adware.PurityScan) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015549.exe (Adware.PurityScan) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015550.dll (Adware.TargetSaver) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015551.vbs (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015552.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015553.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015554.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015555.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015556.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015557.exe (Trojan.Insider) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015558.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015559.exe (Trojan.Matcash) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015560.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015561.dll (Adware.ClickSpring) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015562.dll (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015574.exe (AdWare.CommAd) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015575.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015576.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015577.dll (Adware.TTC) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015579.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015582.dll (AdWare.CommAd) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015723.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\dr6\crecomdll1.exe (Adware.RABCO) -> No action taken.
C:\WINDOWS\system32\ech5\vomb33dll.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\lows8\spgdn65.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\typ2\key89104.exe (Adware.TTC) -> No action taken.
C:\Program Files\nvcoi\mst.stt (Trojan.Stars) -> No action taken.
C:\Program Files\nvcoi\nvcoi.exe.lzma (Trojan.Stars) -> No action taken.




======================================================

4. Kaspersky Webscanner

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 21, 2008 3:49:08 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 649944
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 58097
Number of viruses found: 30
Number of infected objects: 97
Number of suspicious objects: 0
Duration of the scan process: 00:50:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Microsoft\Windows\rayiou.exe Infected: Trojan-Downloader.Win32.Agent.lhu skipped
C:\Documents and Settings\Kevin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\MSHist012008032120080322\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kevin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\nvcoi\nvcoi.exe Infected: Trojan-Downloader.Win32.Agent.ltf skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir Infected: Trojan.Win32.Scapur.k skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\InetGet2\MTE3MTk6ODoxNg.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\QooBox\Quarantine\C\Program Files\NoDNS\NoDNS.exe.vir Infected: Trojan-Downloader.Win32.Agent.kji skipped
C:\QooBox\Quarantine\C\Program Files\Online Services\lavupaxo.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Online Services\lavupaxo947.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\QooBox\Quarantine\C\Program Files\Windows Plus\jilawixy89104.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\Program Files\YSTEM~1\eхplorer.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\b116.exe.vir Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\QooBox\Quarantine\C\WINDOWS\b152.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\QooBox\Quarantine\C\WINDOWS\b153.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir Infected: Trojan-Downloader.Win32.Agent.kha skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.lak skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.lqu skipped
C:\QooBox\Quarantine\C\WINDOWS\S2V2aW4\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\QooBox\Quarantine\C\WINDOWS\S2V2aW4\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aaxxcafx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iDlo01\iDlo011065.exe.vir Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ighwlleh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lduwnnpc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mcjpiwwm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\MCROSO~1\nopdb.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mcvaemvs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mvfqonj.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.acn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\npxibqem.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qiwiugah.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qlspdvho.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urqnmjh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yvqam.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\catchme2008-03-19_195653.93.zip/crusoee.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-03-19_195653.93.zip/gebcc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-19_195653.93.zip/WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.ktb skipped
C:\QooBox\Quarantine\catchme2008-03-19_195653.93.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP100\A0015242.exe Infected: Trojan-Downloader.Win32.Agent.lak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP100\A0015244.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015313.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015329.exe Infected: Trojan-Downloader.Win32.Agent.lak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015366.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015414.exe Infected: Trojan-Downloader.Win32.Agent.lbx skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015418.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015419.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015526.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015527.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015529.exe Infected: Trojan-Downloader.Win32.Agent.kji skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015532.dll Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015537.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015538.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015540.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015543.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015544.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015546.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015548.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015549.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015549.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015552.exe Infected: Trojan-Downloader.Win32.Agent.lak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015553.exe Infected: Trojan-Downloader.Win32.Agent.lqu skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015554.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015554.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015554.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015554.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015555.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015556.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015557.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015558.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015559.exe Infected: Trojan-Downloader.Win32.Agent.kha skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015561.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015562.dll Infected: not-a-virus:AdWare.Win32.Agent.acn skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015563.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015565.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015566.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015567.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015568.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015569.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015570.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015571.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015572.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015574.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015575.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015576.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015577.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015582.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP105\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{44760E83-DBE2-4193-BDE7-6CFDC6C460F9}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5311F8C4-2A12-46FF-A1CB-6D16493D76BB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\ech5\vomb33dll.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\typ2\key89104.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\WINDOWS\system32\typ2\key89104.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




======================================================

5. New Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:29 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10121 bytes




======================================================
6. Uninstall List

Adobe Reader 7.0.9
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Mobile Device Support
Apple Software Update
Broadcom Management Programs
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Corel Paint Shop Pro X
Corel Photo Album 6
CPV
Dell Digital Jukebox Driver
Dell Game Console
Dell Support Center
Dell System Restore
DellSupport
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
ESPNMotion
Games, Music, & Photos Launcher
GemMaster Mystic
Get High Speed Internet!
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
Internet Service Offers Launcher
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Basic Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
mIWA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
mWlsSafe
mWMI
mXML
mZConfig
NetWaiting
NetZeroInstallers
NoDNS
nvcoi
NVIDIA Drivers
Otto
PowerDVD 5.7
QuickSet
QuickTime
RABCO
RealPlayer Basic
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Synaptics Pointing Device Driver
TMASOEDL
TMASOLDL
Trend Micro PC-cillin Internet Security 12
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoLAN VLC media player 0.8.6c
WebCyberCoach 3.2 Dell
WebFldrs XP
WildTangent Web Driver
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892627
Windows XP Hotfix - KB893056
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB912067
Win-Touch.com
XChange 360
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: Infected Laptop

Unread postby dan12 » March 21st, 2008, 7:37 pm

I see you are using Wild Tangent. It is not malware, but is sometimes thought to bring malware along. Unless you are an extremely avid games player, I recommend you fix this...

Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section.
The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although it’s not technically considered spyware, it does have built in components to update itself and gather information about the computer system including
  • Operating System Version
  • CPU Type and Speed
  • Memory Amount
    Video Card type and Driver Version
  • Sound Card type and Driver Version
  • DirectX Version
    Location that the Web Driver was installed from
  • It is also a MAJOR resource hog.
__________________

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



:uninstall some programs:

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add remove programs
click on the following programs


Java and adobe reader

and click on remove

Reboot the computer

: Update Java :

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to update.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.

: Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/uk/products/reader/



Can you do me another malwarebytes scan please.

Please include in your next post:
  • Malwarebytes log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Infected Laptop

Unread postby Towel » March 22nd, 2008, 12:21 am

Here is my latest Malwarebytes and HJT logs:


=========================
Malwarebytes' Anti-Malware 1.09
Database version: 518

Scan type: Full Scan (C:\|)
Objects scanned: 87946
Time elapsed: 29 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 93

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{89cc26bc-9256-4cca-a7f3-b9d6c48dba71} (Adware.RABCO) -> No action taken.
HKEY_CLASSES_ROOT\rabio.rabiobho (Adware.RABCO) -> No action taken.
HKEY_CLASSES_ROOT\rabio.rabiobho.1 (Adware.RABCO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{923ca88a-ae69-49af-bf65-9a3123b14ccb} (Adware.RABCO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{8c36d71b-0a48-4d38-9def-2a2a2669d0c9} (Adware.RABCO) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\nvcoi (Trojan.Stars) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\NoDNS (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Rabio.RabioBHO (Adware.RABCO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RABCO (Adware.RABCO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\RABCO (Adware.RABCO) -> No action taken.
HKEY_CURRENT_USER\Software\RABCO (Adware.RABCO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\RABCO (Adware.RABCO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Rabio.DLL (Adware.RABCO) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinTouch (Adware.WinPop) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\nvcoi (Trojan.Stars) -> No action taken.
C:\WINDOWS\system32\dr6 (Adware.Rabio) -> No action taken.
C:\WINDOWS\system32\ech5 (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\lows8 (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\sbc2 (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\typ2 (Trojan.Downloader) -> No action taken.
C:\Program Files\CPV (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> No action taken.

Files Infected:
C:\Documents and Settings\Kevin\Application Data\Microsoft\Windows\rayiou.exe (Trojan.Agent) -> No action taken.
C:\Program Files\HijackThis\backups\backup-20080321-000445-486.dll (Trojan.Downloader) -> No action taken.
C:\Program Files\nvcoi\nvcoi.exe (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\Documents and Settings\Kevin\Application Data\WinTouch\WTUninstaller.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir (Adware.PurityScan) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir (Adware.PurityScan) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\InetGet2\MTE3MTk6ODoxNg.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir (Trojan.Insider) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir (Trojan.DNSChanger) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\NoDNS\NoDNS.exe.vir (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Online Services\lavupaxo.dll.vir (Trojan.BHO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Online Services\lavupaxo947.dll.vir (Trojan.BHO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir (Adware.ClickSpring) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCO.dll.vir (Adware.RABCO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir (Adware.RABCO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\RABCO\un_RABCOSetup_16230.exe.vir (Adware.Rabio) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\RABCO\X_RABCOse.exe.vir (Adware.RABCO) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.8.8\webbuying.exe.vir (Adware.WebBuying) -> No action taken.
C:\QooBox\Quarantine\C\Program Files\Windows Plus\jilawixy89104.dll.vir (Adware.TTC) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b116.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b152.exe.vir (Trojan.Insider) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b153.exe.vir (Trojan.Agent) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir (Trojan.Matcash) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\b155.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir (Trojan.DownLoader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir (Trojan.Downloader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir (Trojan.BHO) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir (Malware.Trace) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\S2V2aW4\asappsrv.dll.vir (AdWare.CommAd) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\S2V2aW4\command.exe.vir (AdWare.CommAd) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir (Adware.TargetSaver) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir (Adware.TargetSaver) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\mvfqonj.dll.vir (Adware.Agent) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\yvqam.dll.vir (Adware.ClickSpring) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\iDlo01\iDlo011065.exe.vir (Trojan.DownLoader) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\MCROSO~1\nopdb.exe.vir (Adware.Purityscan) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP100\A0015242.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP100\A0015244.exe (Adware.WebBuying) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP100\A0015255.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP102\A0015283.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP102\A0015299.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015326.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015329.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015348.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015381.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015412.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015414.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015418.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP103\A0015419.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015526.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015527.exe (Trojan.Insider) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015529.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015532.dll (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015534.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015535.exe (Adware.Rabio) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015536.exe (Adware.RABCO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015537.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015538.exe (Trojan.DNSChanger) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015540.dll (Adware.ClickSpring) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015542.exe (Adware.WebBuying) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015543.exe (Adware.ClickSpring) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015544.exe (Adware.Purityscan) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015546.exe (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015548.exe (Adware.PurityScan) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015549.exe (Adware.PurityScan) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015550.dll (Adware.TargetSaver) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015551.vbs (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015552.exe (Trojan.DownLoader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015553.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015554.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015555.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015556.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015557.exe (Trojan.Insider) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015558.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015559.exe (Trojan.Matcash) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015560.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015561.dll (Adware.ClickSpring) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015562.dll (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015574.exe (AdWare.CommAd) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015575.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015576.dll (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015577.dll (Adware.TTC) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015579.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015582.dll (AdWare.CommAd) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP104\A0015723.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\dr6\crecomdll1.exe (Adware.RABCO) -> No action taken.
C:\WINDOWS\system32\ech5\vomb33dll.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\lows8\spgdn65.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\typ2\key89104.exe (Adware.TTC) -> No action taken.
C:\Program Files\nvcoi\mst.stt (Trojan.Stars) -> No action taken.
C:\Program Files\nvcoi\nvcoi.exe.lzma (Trojan.Stars) -> No action taken.


=================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:00 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9138 bytes
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: Infected Laptop

Unread postby dan12 » March 22nd, 2008, 4:07 am

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
 
    Folder::
C:\WINDOWS\system32\typ2
C:\WINDOWS\system32\sbc2
C:\WINDOWS\system32\lows8
C:\WINDOWS\system32\ech5
C:\WINDOWS\system32\dr6
C\Program Files\RABCO
C:\Program Files\nvcoi
C\Program Files\NoDNS


Look::
C:\WINDOWS\system32\MCROSO~1

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
        C:\Program Files\?ystem
        


  • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Infected Laptop

Unread postby Towel » March 22nd, 2008, 1:53 pm

Below are my ComboFix and OTMoveIt2 logs.


==================
ComboFix 08-03-18.1 - Kevin 2008-03-22 10:43:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.541 [GMT -7:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dr6
C:\WINDOWS\system32\dr6\crecomdll1.exe
C:\WINDOWS\system32\ech5
C:\WINDOWS\system32\ech5\vomb33dll.exe
C:\WINDOWS\system32\lows8
C:\WINDOWS\system32\lows8\spgdn65.exe
C:\WINDOWS\system32\sbc2
C:\WINDOWS\system32\typ2
C:\WINDOWS\system32\typ2\key89104.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-22 10:39 . 2008-03-22 10:39 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-21 20:24 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-21 20:23 . 2008-03-21 20:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-21 13:10 . 2008-03-21 13:10 <DIR> d-------- C:\Program Files\Virus
2008-03-21 13:10 . 2008-03-21 13:10 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-03-21 13:10 . 2008-03-21 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 00:17 . 2008-03-21 00:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-21 00:17 . 2008-03-21 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 19:41 . 2008-03-21 00:04 <DIR> d-------- C:\Program Files\CPV
2008-03-19 19:21 . 2008-03-19 19:21 <DIR> d-------- C:\Program Files\CCleaner
2008-03-12 20:05 . 2008-03-13 20:14 1,320,173 ---hs---- C:\WINDOWS\system32\whawfbkn.ini
2008-03-12 01:15 . 2008-03-12 01:15 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-12 00:55 . 2008-03-19 19:26 <DIR> d-------- C:\Program Files\nvcoi
2008-03-11 00:56 . 2008-03-11 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-11 00:51 . 2008-03-11 00:55 <DIR> d-------- C:\Program Files\Dell Support Center
2008-03-11 00:51 . 2008-03-11 00:51 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-03-10 23:57 . 2008-03-10 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-10 23:56 . 2008-03-19 19:48 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 03:28 --------- d--h--r C:\Documents and Settings\Kevin\Application Data\yahoo!
2008-03-22 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-22 03:24 --------- d-----w C:\Program Files\Java
2008-03-22 03:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-22 02:33 --------- d-----w C:\Program Files\WildTangent
2008-03-21 06:24 --------- d-----w C:\Program Files\Viewpoint
2008-03-21 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-20 02:54 --------- d-----w C:\Program Files\Windows Plus
2008-03-11 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-25 05:30 88 --sh--r C:\WINDOWS\system32\649B6611F4.sys
2007-10-25 05:30 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-19_19.59.23.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-22 03:12:46 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 08:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 08:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 09:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2006-06-05 21:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 21:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 21:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 00:24 20480]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 17:38 20553]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49 4670968]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 08:09 171464]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-15 00:38 7118848]
"nwiz"="nwiz.exe" [2005-12-15 00:38 1519616 C:\WINDOWS\system32\nwiz.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 02:56 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 19:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 08:44 839680]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 14:30 823362]
"HostManager"="C:\Program Files\Common Files\AOL\1147155041\ee\AOLSoftware.exe" [2006-04-20 10:10 50792]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-26 11:54:54 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147155041\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147155041\\ee\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-25 20:37:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 10:46:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-22 10:46:41
ComboFix-quarantined-files.txt 2008-03-22 17:46:32
ComboFix2.txt 2008-03-21 07:09:44
ComboFix3.txt 2008-03-20 02:59:37
.
2008-03-12 08:15:05 --- E O F ---


==================
OTMoveIt2 Log:

[Custom Input]
< C:\Program Files\?ystem >
File/Folder C:\Program Files\?ystem not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03222008_104933
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: Infected Laptop

Unread postby dan12 » March 22nd, 2008, 11:13 pm

Hi,
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: Select all
    purity
        


  • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


-----------------------------

Question if I may, did you download malwarebytes via my signature? as I can't see Instruction for it apart from me asking for a mawarebytes log?
Reason I ask is on both occasions when you have run the scan it's not dealt with what it finds which is normally the case. You need to click "Remove Selected"

I will give you my Instruction, could you run it again for me.


: Malwarebytes' Anti-Malware :

  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malwarethen click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Please include in your next post:
  • Malwarebytes log
  • OTMoveIt2 log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware