[Resolved] Unable to clean/remove the virus

vrjuns · 27th July 2008

Hi, i found this two threats using ESET Smart security. (This are the files C:\Documents and Settings\All Users\Application Data\SecTaskMan\kavo0.dll.q_804EC01_q - a variant of Win32/Pacex.Gen virus - unable to clean
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kavo.exe.q_804CB98_q - Win32/Pacex.Gen virus - unable to clean)

These are the problems with my laptop
* I can't open other applications like YM and Winrar
* My system are too slow

Here are the logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:03 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Brightness.exe
C:\WINDOWS\system32\arc.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ulso0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Advanced Woman Calendar] "C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" -m
O4 - HKCU\..\Run: [kvasoft] C:\WINDOWS\system32\kvosoft.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24089A54-5173-4027-8240-EE5F3893C12B}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Deckard's System Scanner v20071014.68
Run by Kina on 2008-07-27 13:38:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
41: 2008-07-27 05:38:16 UTC - RP167 - Deckard's System Scanner Restore Point
40: 2008-07-27 04:05:29 UTC - RP166 - Installed AVG Free 8.0
39: 2008-07-27 04:04:49 UTC - RP165 - Removed AVG Free 8.0
38: 2008-07-26 23:01:45 UTC - RP164 - Installed AVG Free 8.0
37: 2008-07-26 17:33:02 UTC - RP163 - System Checkpoint

-- First Restore Point --
1: 2008-06-11 06:39:12 UTC - RP127 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 1.02 GiB (less than 15%) free.

-- HijackThis (run as Kina.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:09 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Brightness.exe
C:\WINDOWS\system32\arc.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kina\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kina.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ulso0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Advanced Woman Calendar] "C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" -m
O4 - HKCU\..\Run: [kvasoft] C:\WINDOWS\system32\kvosoft.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24089A54-5173-4027-8240-EE5F3893C12B}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9866 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 atitray - c:\program files\radeon omega drivers\v3.8.231\ati tray tools\atitray.sys
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R2 KeyAgent - c:\windows\system32\drivers\keyagent.sys <Not Verified; Apple Computer, Inc.; Key Magic>
R2 keymagic (USB Keyboard HID Filter) - c:\windows\system32\drivers\keymagic.sys <Not Verified; Apple Computer, Inc.; Key Magic>
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
R3 aapltctp (Apple Trackpad) - c:\windows\system32\drivers\aapltctp.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 filter - c:\windows\system32\drivers\filter.sys <Not Verified; Apple Computer inc.; sys>
R3 StartupDiskDriver - c:\windows\system32\drivers\startupdiskdriver.sys <Not Verified; Apple Computer, Inc.; Apple Startup Disk Driver>

S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 PPJoyBus (Parallel Port Joystick Bus device driver) - c:\windows\system32\drivers\ppjoybus.sys <Not Verified; Deon van der Westhuysen; Parallel Port Joystick Bus Enumerator>
S3 realf (RealFlight Service) - c:\windows\system32\drivers\realf.sys (file missing)
S3 usbu2a - c:\windows\system32\drivers\usbu2a.sys <Not Verified; USB Compliance; >

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 DF5Serv - c:\program files\faronics\deep freeze\install c-0\df5serv.exe <Not Verified; Faronics Corporation; Deep Freeze 6>
R2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\APP0002\A
Manufacturer:
Name:
PNP Device ID: ACPI\APP0002\A
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_27A3&SUBSYS_00000000&REV_03\3&B1BFB68&0&38
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_27A3&SUBSYS_00000000&REV_03\3&B1BFB68&0&38
Service:

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: USB Human Interface Device
Device ID: USB\VID_05AC&PID_8240\5&11730951&0&2
Manufacturer: (Standard system devices)
Name: USB Human Interface Device
PNP Device ID: USB\VID_05AC&PID_8240\5&11730951&0&2
Service: HidUsb

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\APP0001\4&38462492&0
Manufacturer:
Name:
PNP Device ID: ACPI\APP0001\4&38462492&0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\IFX0101\1
Manufacturer:
Name:
PNP Device ID: ACPI\IFX0101\1
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-07-17 13:45:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 13:35:08 0 d-------- C:\Program Files\Trend Micro
2008-07-27 13:08:42 106496 -r-hs---- C:\WINDOWS\system32\sool1.dll
2008-07-27 12:07:10 106496 -----n--- C:\WINDOWS\system32\sool0.dll
2008-07-27 12:05:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 12:03:22 0 dr-h----- C:\Documents and Settings\Kina\Recent
2008-07-27 07:01:46 0 d-------- C:\Program Files\AVG
2008-07-26 22:04:59 4050 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-26 22:04:25 0 d-------- C:\SmitfraudFix
2008-07-26 21:56:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-26 20:35:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-07-26 20:34:35 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-26 20:34:35 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-26 20:34:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-26 20:34:35 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-26 20:34:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-26 20:34:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-26 20:34:35 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-26 20:34:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-26 20:34:35 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-26 20:34:35 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-26 20:34:35 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-26 20:34:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-26 20:34:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-26 20:34:34 786432 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-26 19:37:47 0 d-------- C:\Program Files\EsetOnlineScanner
2008-07-26 18:55:03 148573 -r-hs---- C:\2moh9y.exe
2008-07-26 07:45:09 148573 -r-hs---- C:\WINDOWS\system32\kvosoft.exe
2008-07-21 10:34:27 0 d-------- C:\Documents and Settings\Kina\Application Data\InstallShield
2008-07-06 19:15:06 0 d--hs---- C:\FOUND.000

-- Find3M Report ---------------------------------------------------------------

2008-07-27 12:11:42 4132 --a------ C:\WINDOWS\bthservsdp.dat
2008-06-14 18:21:26 44 --a------ C:\WINDOWS\popcinfo.dat
2008-06-10 14:03:50 0 d-------- C:\Program Files\AMPED
2008-06-05 11:21:48 0 d-------- C:\Program Files\Three Rings Design
2008-06-04 20:14:06 0 d-------- C:\Documents and Settings\Kina\Application Data\bang

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="atiptaxx.exe" [11/23/2005 09:05 AM C:\WINDOWS\system32\atiptaxx.exe]
"BluetoothAuthenticationAgent"="rundll32.exe" [08/03/2004 10:56 PM C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/26/2006 06:04 PM]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [07/14/2006 05:18 PM]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [07/14/2006 05:24 PM]
"arc"="C:\WINDOWS\system32\arc.exe" [09/12/2006 02:58 PM]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [09/06/2006 07:15 PM]
"SigmatelSysTrayApp"="sttray.exe" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [09/01/2004 01:00 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [09/01/2004 01:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [09/01/2004 01:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [09/01/2004 01:00 AM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 10:59 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [12/21/2007 08:21 AM]
"RegistryMechanic"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [05/23/2005 09:57 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 10:56 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09/02/2007 03:29 AM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 10:59 PM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [01/18/2008 12:51 AM]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [02/20/2008 04:19 PM]
"Advanced Woman Calendar"="C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" [05/25/2008 07:41 PM]
"kvasoft"="C:\WINDOWS\system32\kvosoft.exe" [07/27/2008 01:08 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"NofolderOptions"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NofolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
LogonDll.dll 11/29/2006 02:55 AM 65536 C:\WINDOWS\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Webroo tSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\C]
AutoRun\command- C:\lgnaqil.exe
explore\Command- C:\lgnaqil.exe
open\Command- C:\lgnaqil.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{246198b2-a245-11dc-8fc7-0014515ab700}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{246198b3-a245-11dc-8fc7-0014515ab700}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{3f66d028-9d59-11dc-8fbc-0014515ab700}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{44f4f5de-85b6-11dc-8dd0-0014515ab700}]
AutoRun\command- E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{8c6cc246-a197-11dc-8fc6-0014515ab700}]
AutoRun\command- E:\6q8ld.exe
explore\Command- E:\6q8ld.exe
open\Command- E:\6q8ld.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{a05ab3d0-aefd-11dc-8fe3-0014515ab700}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{a65fae15-ae1e-11dc-8fe0-001451ed5fce}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{bd739b3f-e2f4-11da-8bd7-806d6172696f}]
AutoRun\command- C:\2moh9y.exe
explore\Command- C:\2moh9y.exe
open\Command- C:\2moh9y.exe

Thanks in advance.

**noahdfear** · 29th July 2008

Welcome to WindowsBBS vrjuns

You have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Plug in your USB flash drive.
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Your desktop will vanish for a while, and then reappear. This is normal.
Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Next, download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

vrjuns · 29th July 2008

Thanks for the help...
Here is the log file of ComboFix.

ComboFix 08-07-26.1 - Kina 2008-07-29 19:28:47.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1542 [GMT 8:00]
Running from: C:\Documents and Settings\Kina\My Documents\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-28 21:55 . 2008-07-28 21:54 149,481 -r-hs---- C:\gd6.exe
2008-07-27 13:37 . 2008-07-27 13:37 <DIR> d-------- C:\Deckard
2008-07-27 13:35 . 2008-07-27 13:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 13:08 . 2008-07-28 21:55 108,544 -r-hs---- C:\WINDOWS\system32\sool1.dll
2008-07-27 12:07 . 2008-07-28 21:54 106,496 --------- C:\WINDOWS\system32\sool0.dll
2008-07-27 12:05 . 2008-07-27 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 07:01 . 2008-07-27 07:01 <DIR> d-------- C:\Program Files\AVG
2008-07-26 22:04 . 2008-06-15 15:25 <DIR> d-------- C:\SmitfraudFix
2008-07-26 22:04 . 2008-07-26 22:06 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-26 20:34 . 2008-07-26 20:34 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 19:37 . 2008-07-26 19:37 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-07-26 18:55 . 2008-07-27 13:08 148,573 -r-hs---- C:\2moh9y.exe
2008-07-26 07:45 . 2008-07-28 21:54 149,481 -r-hs---- C:\WINDOWS\system32\kvosoft.exe
2008-07-21 10:34 . 2008-07-21 10:34 <DIR> d-------- C:\Documents and Settings\Kina\Application Data\InstallShield
2008-07-06 19:15 . 2008-07-06 19:15 <DIR> d--hs---- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 06:03 --------- d-----w C:\Program Files\AMPED
2008-06-05 03:21 --------- d-----w C:\Program Files\Three Rings Design
2008-06-04 12:14 --------- d-----w C:\Documents and Settings\Kina\Application Data\bang
2008-04-05 12:59 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2008-01-21 11:35 15,364 ---ha-w C:\Program Files\.DS_Store
2008-01-07 13:16 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-21 23:10 47,360 ----a-w C:\Documents and Settings\Kina\Application Data\pcouffin.sys
2007-11-24 20:46 251,392 ----a-w C:\Program Files\opera\program\plugins\dapop.dll
2008-04-23 10:40 5,224 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 10:40 8 --sh--r C:\WINDOWS\system32\E9A64C33A0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 03:29 68856]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-18 00:51 486856]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 16:19 356352]
"Advanced Woman Calendar"="C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" [2008-05-25 19:41 437360]
"kvasoft"="C:\WINDOWS\system32\kvosoft.exe" [2008-07-28 21:54 149481]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-26 18:04 180269]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [2006-07-14 17:18 65536]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2006-07-14 17:24 172032]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2006-09-06 19:15 380928]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 01:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-01 01:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 09:57 90112]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"ATIPTA"="atiptaxx.exe" [2005-11-23 09:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2006-11-29 02:55 65536 C:\WINDOWS\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\Documents and Settings\\Kina\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 DeepFrz;DeepFrz;C:\WINDOWS\system32\drivers\DeepFrz.sys [2006-11-29 02:57]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\atitray.sys [2006-01-25 03:32]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-09-08 16:04]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-09-06 19:17]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-08-01 07:49]
R3 aapltctp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-08-23 17:04]
R3 filter;filter;C:\WINDOWS\system32\DRIVERS\filter.sys [2006-03-08 10:03]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys [2008-01-04 20:34]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDisk Driver.sys [2006-04-11 08:30]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 13:47]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 08:11]
S3 realf;RealFlight Service;C:\WINDOWS\system32\DRIVERS\realf.sys []
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys [2007-04-03 12:57]
S3 usbu2a;UsbU2A;C:\WINDOWS\system32\Drivers\usbu2a.sys [2001-08-30 17:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\C]
\Shell\AutoRun\command - C:\lgnaqil.exe
\Shell\explore\Command - C:\lgnaqil.exe
\Shell\open\Command - C:\lgnaqil.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{44f4f5de-85b6-11dc-8dd0-0014515ab700}]
\Shell\AutoRun\command - E:\autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-07-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!-:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0- []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 -: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O17 -: HKLM\CCS\Interface\{24089A54-5173-4027-8240-EE5F3893C12B}: NameServer = 192.168.1.1
O18 -: Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~1\DAPPRE~1\dapie.dll
O18 -: Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~1\DAPPRE~1\dapie.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 19:29:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\LogonDll.dll
.
Completion time: 2008-07-29 19:30:01
ComboFix-quarantined-files.txt 2008-07-29 11:30:00
ComboFix2.txt 2008-07-28 14:04:48

Pre-Run: 930,578,432 bytes free
Post-Run: 916,340,736 bytes free

143 --- E O F --- 2007-11-28 04:26:07

**noahdfear** · 30th July 2008

Please post the log from the first ComboFix run. It is located at C:\Qoobox\ComboFix2.txt

vrjuns · 30th July 2008

Here's the log file.

ComboFix 08-07-26.1 - Kina 2008-07-28 22:02:01.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1532 [GMT 8:00]
Running from: C:\Documents and Settings\Kina\My Documents\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Kina\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-28 21:55 . 2008-07-28 21:54 149,481 -r-hs---- C:\gd6.exe
2008-07-27 13:37 . 2008-07-27 13:37 <DIR> d-------- C:\Deckard
2008-07-27 13:35 . 2008-07-27 13:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 13:08 . 2008-07-28 21:55 108,544 -r-hs---- C:\WINDOWS\system32\sool1.dll
2008-07-27 12:07 . 2008-07-28 21:54 106,496 --------- C:\WINDOWS\system32\sool0.dll
2008-07-27 12:05 . 2008-07-27 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 07:01 . 2008-07-27 07:01 <DIR> d-------- C:\Program Files\AVG
2008-07-26 22:04 . 2008-06-15 15:25 <DIR> d-------- C:\SmitfraudFix
2008-07-26 22:04 . 2008-07-26 22:06 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-26 20:34 . 2008-07-26 20:34 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 19:37 . 2008-07-26 19:37 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-07-26 18:55 . 2008-07-27 13:08 148,573 -r-hs---- C:\2moh9y.exe
2008-07-26 07:45 . 2008-07-28 21:54 149,481 -r-hs---- C:\WINDOWS\system32\kvosoft.exe
2008-07-21 10:34 . 2008-07-21 10:34 <DIR> d-------- C:\Documents and Settings\Kina\Application Data\InstallShield
2008-07-06 19:15 . 2008-07-06 19:15 <DIR> d--hs---- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 06:03 --------- d-----w C:\Program Files\AMPED
2008-06-05 03:21 --------- d-----w C:\Program Files\Three Rings Design
2008-06-04 12:14 --------- d-----w C:\Documents and Settings\Kina\Application Data\bang
2008-04-05 12:59 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2008-01-21 11:35 15,364 ---ha-w C:\Program Files\.DS_Store
2008-01-07 13:16 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-21 23:10 47,360 ----a-w C:\Documents and Settings\Kina\Application Data\pcouffin.sys
2007-11-24 20:46 251,392 ----a-w C:\Program Files\opera\program\plugins\dapop.dll
2008-04-23 10:40 5,224 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 10:40 8 --sh--r C:\WINDOWS\system32\E9A64C33A0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 03:29 68856]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-18 00:51 486856]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 16:19 356352]
"Advanced Woman Calendar"="C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" [2008-05-25 19:41 437360]
"kvasoft"="C:\WINDOWS\system32\kvosoft.exe" [2008-07-28 21:54 149481]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-26 18:04 180269]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [2006-07-14 17:18 65536]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2006-07-14 17:24 172032]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2006-09-06 19:15 380928]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 01:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-01 01:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 09:57 90112]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"ATIPTA"="atiptaxx.exe" [2005-11-23 09:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2006-11-29 02:55 65536 C:\WINDOWS\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\Documents and Settings\\Kina\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 DeepFrz;DeepFrz;C:\WINDOWS\system32\drivers\DeepFrz.sys [2006-11-29 02:57]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\atitray.sys [2006-01-25 03:32]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-09-08 16:04]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-09-06 19:17]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-08-01 07:49]
R3 aapltctp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-08-23 17:04]
R3 filter;filter;C:\WINDOWS\system32\DRIVERS\filter.sys [2006-03-08 10:03]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys [2008-01-04 20:34]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDisk Driver.sys [2006-04-11 08:30]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 13:47]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 08:11]
S3 realf;RealFlight Service;C:\WINDOWS\system32\DRIVERS\realf.sys []
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys [2007-04-03 12:57]
S3 usbu2a;UsbU2A;C:\WINDOWS\system32\Drivers\usbu2a.sys [2001-08-30 17:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\C]
\Shell\AutoRun\command - C:\lgnaqil.exe
\Shell\explore\Command - C:\lgnaqil.exe
\Shell\open\Command - C:\lgnaqil.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{44f4f5de-85b6-11dc-8dd0-0014515ab700}]
\Shell\AutoRun\command - E:\autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-07-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!-:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0- []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe
HKLM-Run-RegistryMechanic - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 -: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O17 -: HKLM\CCS\Interface\{24089A54-5173-4027-8240-EE5F3893C12B}: NameServer = 192.168.1.1
O18 -: Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~1\DAPPRE~1\dapie.dll
O18 -: Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~1\DAPPRE~1\dapie.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 22:04:14
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\LogonDll.dll
.
Completion time: 2008-07-28 22:04:45
ComboFix-quarantined-files.txt 2008-07-28 14:04:42

Pre-Run: 920,256,512 bytes free
Post-Run: 963,608,576 bytes free

152 --- E O F --- 2007-11-28 04:26:07

**noahdfear** · 1st August 2008

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:


http://www.windowsbbs.com/malware-virus-removal/75463-unable-clean-remove-virus.html

Extra::
Suspect::[22]
C:\gd6.exe
C:\WINDOWS\system32\sool1.dll
C:\WINDOWS\system32\sool0.dll
C:\2moh9y.exe
C:\WINDOWS\system32\kvosoft.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send.
Thanks!

vrjuns · 1st August 2008

Here is the new log file of Combofix and already submitted the files for analysis.

ComboFix 08-07-26.1 - Kina 2008-08-01 22:30:43.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1543 [GMT 8:00]
Running from: C:\Documents and Settings\Kina\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kina\My Documents\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 22:26 . 2008-08-01 22:25 148,068 -r-hs---- C:\sdb.exe
2008-07-28 21:55 . 2008-07-28 21:54 149,481 -r-hs---- C:\gd6.exe
2008-07-27 13:37 . 2008-07-27 13:37 <DIR> d-------- C:\Deckard
2008-07-27 13:35 . 2008-07-27 13:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 13:08 . 2008-08-01 22:25 111,104 -r-hs---- C:\WINDOWS\system32\sool1.dll
2008-07-27 12:07 . 2008-08-01 22:24 108,544 --------- C:\WINDOWS\system32\sool0.dll
2008-07-27 12:05 . 2008-07-27 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 07:01 . 2008-07-27 07:01 <DIR> d-------- C:\Program Files\AVG
2008-07-26 22:04 . 2008-07-26 22:06 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-26 20:34 . 2008-07-26 20:34 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 19:37 . 2008-07-26 19:37 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-07-26 18:55 . 2008-07-27 13:08 148,573 -r-hs---- C:\2moh9y.exe
2008-07-26 07:45 . 2008-08-01 22:25 148,068 -r-hs---- C:\WINDOWS\system32\kvosoft.exe
2008-07-21 10:34 . 2008-07-21 10:34 <DIR> d-------- C:\Documents and Settings\Kina\Application Data\InstallShield
2008-07-06 19:15 . 2008-07-06 19:15 <DIR> d--hs---- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 06:03 --------- d-----w C:\Program Files\AMPED
2008-06-05 03:21 --------- d-----w C:\Program Files\Three Rings Design
2008-06-04 12:14 --------- d-----w C:\Documents and Settings\Kina\Application Data\bang
2008-04-05 12:59 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2008-01-21 11:35 15,364 ---ha-w C:\Program Files\.DS_Store
2008-01-07 13:16 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-21 23:10 47,360 ----a-w C:\Documents and Settings\Kina\Application Data\pcouffin.sys
2007-11-24 20:46 251,392 ----a-w C:\Program Files\opera\program\plugins\dapop.dll
2008-04-23 10:40 5,224 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 10:40 8 --sh--r C:\WINDOWS\system32\E9A64C33A0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 03:29 68856]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-18 00:51 486856]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 16:19 356352]
"Advanced Woman Calendar"="C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" [2008-05-25 19:41 437360]
"kvasoft"="C:\WINDOWS\system32\kvosoft.exe" [2008-08-01 22:25 148068]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-26 18:04 180269]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [2006-07-14 17:18 65536]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2006-07-14 17:24 172032]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2006-09-06 19:15 380928]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 01:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-01 01:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 09:57 90112]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"ATIPTA"="atiptaxx.exe" [2005-11-23 09:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2006-11-29 02:55 65536 C:\WINDOWS\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\Documents and Settings\\Kina\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 DeepFrz;DeepFrz;C:\WINDOWS\system32\drivers\DeepFrz.sys [2006-11-29 02:57]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\atitray.sys [2006-01-25 03:32]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-09-08 16:04]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-09-06 19:17]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-08-01 07:49]
R3 aapltctp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-08-23 17:04]
R3 filter;filter;C:\WINDOWS\system32\DRIVERS\filter.sys [2006-03-08 10:03]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys [2008-01-04 20:34]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDisk Driver.sys [2006-04-11 08:30]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 13:47]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 08:11]
S3 realf;RealFlight Service;C:\WINDOWS\system32\DRIVERS\realf.sys []
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys [2007-04-03 12:57]
S3 usbu2a;UsbU2A;C:\WINDOWS\system32\Drivers\usbu2a.sys [2001-08-30 17:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\C]
\Shell\AutoRun\command - C:\lgnaqil.exe
\Shell\explore\Command - C:\lgnaqil.exe
\Shell\open\Command - C:\lgnaqil.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{44f4f5de-85b6-11dc-8dd0-0014515ab700}]
\Shell\AutoRun\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!,;:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0- []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 -: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O17 -: HKLM\CCS\Interface\{24089A54-5173-4027-8240-EE5F3893C12B}: NameServer = 192.168.1.1
O18 -: Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~1\DAPPRE~1\dapie.dll
O18 -: Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~1\DAPPRE~1\dapie.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 22:32:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\LogonDll.dll
.
Completion time: 2008-08-01 22:33:06
ComboFix-quarantined-files.txt 2008-08-01 14:33:04
ComboFix3.txt 2008-07-28 14:04:48
ComboFix2.txt 2008-07-29 11:30:04

Pre-Run: 1,192,837,120 bytes free
Post-Run: 1,222,066,176 bytes free

144 --- E O F --- 2007-11-28 04:26:07

**noahdfear** · 2nd August 2008

Thanks for the upload! Those files are all infected, and now there's another new one. Let's nuke 'em.

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop. So you know, ComboFix has a new icon.

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:


http://www.windowsbbs.com/malware-virus-removal/75463-unable-clean-remove-virus.html

Collect::
C:\sdb.exe
C:\gd6.exe
C:\WINDOWS\system32\sool1.dll
C:\WINDOWS\system32\sool0.dll
C:\2moh9y.exe
C:\WINDOWS\system32\kvosoft.exe
File::
C:\lgnaqil.exe
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kavo0.dll.q_804EC01_q
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kavo.exe.q_804CB98_q
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kvasoft"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

vrjuns · 3rd August 2008

I really appreciate your effort helping me with this problem.
Thanks a lot dude...

Here's the new log file of ComboFix and I already submitted the zip file for analysis.

ComboFix 08-08-01.05 - Kina 2008-08-03 9:40:33.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1521 [GMT 8:00]
Running from: C:\Documents and Settings\Kina\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kina\My Documents\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kavo.exe.q_804CB98_q
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kavo0.dll.q_804EC01_q
C:\lgnaqil.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\._32fsU30.exe
C:\2moh9y.exe
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kavo.exe.q_804CB98_q
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kavo0.dll.q_804EC01_q
C:\gd6.exe
C:\sdb.exe
C:\WINDOWS\system32\kvosoft.exe
C:\WINDOWS\system32\sool0.dll
C:\WINDOWS\system32\sool1.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-07-27 13:37 . 2008-07-27 13:37 <DIR> d-------- C:\Deckard
2008-07-27 13:35 . 2008-07-27 13:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 12:05 . 2008-07-27 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 07:01 . 2008-07-27 07:01 <DIR> d-------- C:\Program Files\AVG
2008-07-26 22:04 . 2008-07-26 22:06 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-26 20:34 . 2008-07-26 20:34 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 19:37 . 2008-07-26 19:37 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-07-21 10:34 . 2008-07-21 10:34 <DIR> d-------- C:\Documents and Settings\Kina\Application Data\InstallShield
2008-07-06 19:15 . 2008-07-06 19:15 <DIR> d--hs---- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 06:03 --------- d-----w C:\Program Files\AMPED
2008-06-05 03:21 --------- d-----w C:\Program Files\Three Rings Design
2008-06-04 12:14 --------- d-----w C:\Documents and Settings\Kina\Application Data\bang
2008-04-05 12:59 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2008-01-21 11:35 15,364 ---ha-w C:\Program Files\.DS_Store
2008-01-07 13:16 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-21 23:10 47,360 ----a-w C:\Documents and Settings\Kina\Application Data\pcouffin.sys
2007-11-24 20:46 251,392 ----a-w C:\Program Files\opera\program\plugins\dapop.dll
2008-04-23 10:40 5,224 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 10:40 8 --sh--r C:\WINDOWS\system32\E9A64C33A0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 03:29 68856]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-18 00:51 486856]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 16:19 356352]
"Advanced Woman Calendar"="C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" [2008-05-25 19:41 437360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-26 18:04 180269]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [2006-07-14 17:18 65536]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2006-07-14 17:24 172032]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2006-09-06 19:15 380928]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 01:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-01 01:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 09:57 90112]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"ATIPTA"="atiptaxx.exe" [2005-11-23 09:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2006-11-29 02:55 65536 C:\WINDOWS\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\Documents and Settings\\Kina\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 DeepFrz;DeepFrz;C:\WINDOWS\system32\drivers\DeepFrz.sys [2006-11-29 02:57]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\atitray.sys [2006-01-25 03:32]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-09-08 16:04]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-09-06 19:17]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-08-01 07:49]
R3 aapltctp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-08-23 17:04]
R3 filter;filter;C:\WINDOWS\system32\DRIVERS\filter.sys [2006-03-08 10:03]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys [2008-01-04 20:34]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDisk Driver.sys [2006-04-11 08:30]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 13:47]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 08:11]
S3 realf;RealFlight Service;C:\WINDOWS\system32\DRIVERS\realf.sys []
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys [2007-04-03 12:57]
S3 usbu2a;UsbU2A;C:\WINDOWS\system32\Drivers\usbu2a.sys [2001-08-30 17:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{44f4f5de-85b6-11dc-8dd0-0014515ab700}]
\Shell\AutoRun\command - E:\autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 09:41:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\LogonDll.dll
.
Completion time: 2008-08-03 9:41:47
ComboFix-quarantined-files.txt 2008-08-03 01:41:46
ComboFix4.txt 2008-07-28 14:04:48
ComboFix3.txt 2008-07-29 11:30:04
ComboFix2.txt 2008-08-01 14:33:08

Pre-Run: 1,033,273,344 bytes free
Post-Run: 1,020,624,896 bytes free

141 --- E O F --- 2007-11-28 04:26:07

**noahdfear** · 3rd August 2008

Looks good.

Please scan with Kaspersky WebScanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Post the Kaspersky log and a fresh HijackThis log here.

vrjuns · 4th August 2008

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 04, 2008 4:52:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/08/2008
Kaspersky Anti-Virus database records: 1051288
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 76717
Number of viruses found: 14
Number of infected objects: 39
Number of suspicious objects: 0
Duration of the scan process: 00:50:18

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\ulso0.dll Infected: not-a-virus:AdWare.Win32.BBT.gw skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{44F6870C-1F91-4F25-8CC9-4BB2EB3FCF8E}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\epfwlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD52EBD0A-916D-4CF6-90BE-5DE7716698A4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS637E3EFD-592F-4B06-9D27-3DD262DA3058.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEE9815E1-4889-494F-BE68-523B44071B1A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS73487139-99C0-4A0A-A011-3A7039E90EE7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6D2C2827-A71B-4810-BD0B-37C5086D6791.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0E5F0DCE-1FB5-4F7B-81F4-E14861A9F1FA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS94EAE5BD-DE13-4A46-B2BB-5A942DC28B6B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS90D1FB08-273C-4CE1-9C42-A4C3830DFADF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS92389C2E-CEC8-41CB-BFBB-B0EC08D45AD6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0F36D4B3-E4A5-4B39-A88A-7C081DDDB5F7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3B87001E-A7E2-4C0F-82A8-474910726781.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE523B122-557A-48B1-959A-73C46E8070B2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA1BC8AC5-54A1-45A9-9C2C-A59220CEBEFF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS92976E90-C3A4-4645-AECE-0F0E53215AF4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA57D828B-4544-427D-9B34-28222DDF8CC2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS31D1E41F-FCE0-497D-B053-29C58400FC43.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS044B7D86-DB6B-46FA-9322-42AD0EDC4CE4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS21F048F3-9E81-49B8-8080-C244DFCEBFFE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS97494C1A-C44F-4E7C-A5C8-308EDBA13778.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3D10ACBE-8283-4230-AFCB-95E61A5261CF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEF1AB4B3-AC61-473F-9FEC-DAC575D61AFE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4E8A3A4E-04EF-48C5-846A-E7F41094CAB5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1F8EBE79-B06F-4FD3-A76E-6484FA997B2F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS75489632-8EBD-49BF-90D8-48AE3B0F0838.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS163EC96D-26E5-4C90-8F63-CB9DDEA347A3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDEC9E49E-B2CF-4DDF-849C-884DE685E1B3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS86A120B5-1320-404A-95BC-FC22B744DF36.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1ED50C7F-14C6-4B6A-9C61-B948289EE596.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS17B61F8B-E46C-4AA2-8D10-DD9C08F90FC9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4BC57BBC-7D4C-4FEA-8FEE-DD302FF3F06F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS36F660AB-6370-4F70-821C-5C9EFCB5EA42.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDC78B304-DDEB-4CA9-8D70-384656DEB797.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2555C21D-3ED0-4CDB-A6B2-CF7092146327.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5104F9F2-CA47-460D-A764-44AE47C33A9C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFEAF44FD-8EA7-48F1-A412-2C11884D1B8E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS00E96126-F139-402B-A20D-38FEED23B497.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS47CD14E1-E156-47D1-8A1F-362659538889.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8EB79EF6-093A-47FB-956A-628135F7823C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS919F814E-FAD8-411F-9B43-9C4D29BA082A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS795CF69A-9D9F-460E-926B-6F39ED34FEA4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS150EDC71-D400-439C-BC6C-5B8ABA9006FC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE19751A3-7C2E-471D-B5C4-C4C73B96A445.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS17724020-BD6C-4890-9D62-8EA6954C5D68.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7B47C053-22AC-4612-8DD6-0A6E33AE670C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS602E93CB-BE06-4059-B7EC-C8AB227673A9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB6505D35-3E24-4CD9-9671-47F02A6C5DED.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA361F361-2BE2-44E1-9E4D-FF5C13847C6A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS72819AAC-7553-4933-B031-8B08EEC8F141.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB18E6702-8B9B-4D1B-8E28-E7B5367F0FAF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS03725442-1CBD-413C-A704-46BDF6DB6B5A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS41E2B459-2955-4B4E-A4BF-3E065A4DA7F2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4D3A3C79-533A-4CE3-8DF8-D3519854543A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5F5039C5-088C-44F9-AD8F-0463E8427CA9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEB876339-56E9-4F5D-8126-3B7C87E466FE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8A47AAA9-190A-46E9-B9B0-A7A7EFCE6E38.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6F1F7407-8CBE-4CE5-BCEC-448020B9E7A8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD44141B1-34A1-4B78-AA61-42ECF86C8AA5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDEC67BDF-9907-465D-999B-D1A4F4183CDD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS74DDF874-CFF1-406A-BB8D-00E9D9F595C6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS642435E4-414C-40D3-91EE-1DD84031293E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA12F1A07-2F27-4891-8E40-CBA0ECEEFB2B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3EFE7069-4234-4887-B55A-1E07943DA9DA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS625878EB-FEF3-4CF7-BF7D-65F08CFD839F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF752D015-0E54-4B53-96CF-92048DF14264.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCE934A4D-AFF8-4B70-A4B0-58EF65AEC204.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC223E7EC-CE67-432A-A638-0FB83D0F91B8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS221326E9-F957-4CD0-9D91-3F2BC02846A2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2441F6BA-3D52-49BD-BD86-C39052099750.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS06E8BF73-F46E-4AA7-9B77-430511A1C2A2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA14FA951-3EA7-422A-939C-30F40422234A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSABDDCD29-BDEA-47EE-BD21-1218A0E2EE94.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2CD72CC2-ADBE-410C-B922-A3CCBB4FF0CE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5F61314D-8146-41DB-BC70-D6E00F8C8618.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS48A10B1A-2396-43E8-8DA3-0972BC174D79.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA0A787AF-FCF6-46C7-87BE-10C634A4635D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF9EC9B0F-6072-4035-9A90-0724FC85FD46.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS17C289DA-5371-4791-9FBD-7A57C9DE22CE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS40213BAD-77A4-42D4-BEEE-A801259F2075.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDA28115F-2435-4128-B602-14D56E3D6C58.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS037DBCB7-A6C4-40EF-882A-F39DDCD603DF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS142FD4ED-0FBB-4028-A623-4BF8032E7AED.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2FA47F24-C416-4CD3-A243-BA3CBD0FD136.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8660D916-08F8-4FF4-B839-4113C0CB8984.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS46387ED3-04D9-44DD-880D-241214C9C42F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9D230E31-D317-4FA0-81A4-2499CC768CE5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS18B0F291-44D2-4FA2-B1B4-9714976B0746.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS97276326-46DC-43B3-A3CB-F3F5CC133B64.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBA13EB5D-F129-405E-B44B-EBFFCE78BC81.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5873FE4F-7DC3-41C4-8EE5-42EEEFF48D2C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kina\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\History\History.IE5\MSHist012008080420080805\index.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\History\History.IE5\MSHist012008072820080804\index.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\temp\Perflib_Perfdata_ed4.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\temp\fla173.tmp Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\temp\Perflib_Perfdata_874.dat Object is locked skipped
C:\Documents and Settings\Kina\Local Settings\temp\~DFF3AE.tmp Object is locked skipped
C:\Documents and Settings\Kina\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kina\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\history.dat Object is locked skipped
C:\Documents and Settings\Kina\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kina\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\cert8.db Object is locked skipped
C:\Documents and Settings\Kina\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\key3.db Object is locked skipped
C:\Documents and Settings\Kina\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Kina\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Kina\Application Data\Mozilla\Firefox\Profiles\vmbdzf0a.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Kina\Application Data\Webroot\Spy Sweeper\Logs\080804070231.ses Object is locked skipped
C:\Documents and Settings\Kina\NTUSER.DAT Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Kina.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Kina.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Kina.log Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP162\A0055809.inf Infected: Worm.Win32.AutoRun.eoa skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP162\A0055826.dll Infected: not-a-virus:AdWare.Win32.BBT.fx skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP162\A0055830.exe Infected: Trojan.Win32.Vaklik.cie skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP162\A0055843.DLL Infected: not-a-virus:AdWare.Win32.BBT.fx skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP162\A0055847.exe Infected: Trojan.Win32.Vaklik.cie skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP162\A0055857.DLL Infected: not-a-virus:AdWare.Win32.BBT.fx skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP162\A0055861.exe Infected: Trojan.Win32.Vaklik.cie skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP163\A0055977.exe Infected: Trojan.Win32.Vaklik.cie skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP164\A0055987.exe Infected: Trojan.Win32.Vaklik.cie skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP164\A0056017.DLL Infected: not-a-virus:AdWare.Win32.BBT.fx skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP166\A0056111.DLL Infected: not-a-virus:AdWare.Win32.BBT.fx skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP166\A0056114.exe Infected: Trojan.Win32.Vaklik.cie skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP166\A0056126.DLL Infected: not-a-virus:AdWare.Win32.BBT.fx skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP166\A0056133.exe Infected: Trojan.Win32.Vaklik.cie skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP166\A0056135.exe Infected: Trojan.Win32.Vaklik.cie skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP167\A0056138.exe Infected: Trojan.Win32.Vaklik.ciq skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP168\A0057126.DLL Infected: not-a-virus:AdWare.Win32.BBT.ga skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP168\A0057133.exe Infected: Trojan.Win32.Vaklik.ciq skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP168\A0057135.exe Infected: Trojan.Win32.Vaklik.ciq skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP169\A0057155.exe Infected: Trojan.Win32.Vaklik.cjl skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP171\A0057303.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP171\A0057309.exe Infected: Backdoor.Win32.Hupigon.dckd skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP171\A0058126.DLL Infected: not-a-virus:AdWare.Win32.BBT.gg skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP171\A0058133.exe Infected: Trojan.Win32.Vaklik.cjl skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP171\A0058134.exe Infected: Trojan.Win32.Vaklik.cjl skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP172\A0058143.exe Infected: Trojan.Win32.Vaklik.cnm skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP174\A0058230.exe Infected: Trojan.Win32.Vaklik.ciq skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP174\A0058231.exe Infected: Trojan.Win32.Vaklik.cjl skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP174\A0058232.exe Infected: Trojan.Win32.Vaklik.cnm skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP174\A0058233.EXE Infected: Trojan.Win32.Vaklik.cnm skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP174\A0058235.dll Infected: Trojan.Win32.Inject.epv skipped
C:\System Volume Information\_restore{E430164D-D535-4102-BDE1-2860C0A836B0}\RP175\change.log Object is locked skipped
C:\Photoshop\mIRC - English.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\kavo.exe.q_804CB98_q.vir Infected: Trojan-PSW.Win32.OnLineGames.aiof skipped
C:\QooBox\Quarantine\C\2moh9y.exe.vir Infected: Trojan.Win32.Vaklik.ciq skipped
C:\QooBox\Quarantine\C\gd6.exe.vir Infected: Trojan.Win32.Vaklik.cjl skipped
C:\QooBox\Quarantine\C\sdb.exe.vir Infected: Trojan.Win32.Vaklik.cnm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kvosoft.exe.vir Infected: Trojan.Win32.Vaklik.cnm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sool1.dll.vir Infected: Trojan.Win32.Inject.epv skipped
C:\$Persi0.sys Object is locked skipped

Scan process completed.

vrjuns · 4th August 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:56 PM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Brightness.exe
C:\WINDOWS\system32\arc.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Advanced Woman Calendar] "C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" -m
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24089A54-5173-4027-8240-EE5F3893C12B}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9666 bytes

**noahdfear** · 5th August 2008

Should be the final run.

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop. The icon has been changed recently, so don't be alarmed if it's different that what you currently have.

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:


http://www.windowsbbs.com/malware-virus-removal/75463-unable-clean-remove-virus.html

Collect::
C:\WINDOWS\system32\ulso0.dll

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

vrjuns · 5th August 2008

Thanks for the great help...

Here's the log file of ComboFix

ComboFix 08-08-04.01 - Kina 2008-08-05 12:51:43.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1519 [GMT 8:00]
Running from: C:\Documents and Settings\Kina\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kina\My Documents\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ulso0.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-04 12:35 . 2008-08-04 12:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-08-04 12:35 . 2008-08-04 12:35 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-04 12:35 . 2008-08-04 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-27 13:37 . 2008-07-27 13:37 <DIR> d-------- C:\Deckard
2008-07-27 13:35 . 2008-07-27 13:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 12:05 . 2008-07-27 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-27 07:01 . 2008-07-27 07:01 <DIR> d-------- C:\Program Files\AVG
2008-07-26 22:04 . 2008-07-26 22:06 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-26 20:34 . 2008-07-26 20:34 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 19:37 . 2008-07-26 19:37 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-07-21 10:34 . 2008-07-21 10:34 <DIR> d-------- C:\Documents and Settings\Kina\Application Data\InstallShield
2008-07-06 19:15 . 2008-07-06 19:15 <DIR> d--hs---- C:\FOUND.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 06:03 --------- d-----w C:\Program Files\AMPED
2008-06-05 03:21 --------- d-----w C:\Program Files\Three Rings Design
2008-04-05 12:59 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2008-01-21 11:35 15,364 ---ha-w C:\Program Files\.DS_Store
2008-01-07 13:16 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-21 23:10 47,360 ----a-w C:\Documents and Settings\Kina\Application Data\pcouffin.sys
2007-11-24 20:46 251,392 ----a-w C:\Program Files\opera\program\plugins\dapop.dll
2008-04-23 10:40 5,224 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-23 10:40 8 --sh--r C:\WINDOWS\system32\E9A64C33A0.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-28_22.04.30.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-27 04:11:42 4,132 ----a-w C:\WINDOWS\bthservsdp.dat
+ 2008-08-03 13:44:10 4,132 ----a-w C:\WINDOWS\bthservsdp.dat
+ 2005-05-24 04:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 07:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 07:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 03:29 68856]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-18 00:51 486856]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 16:19 356352]
"Advanced Woman Calendar"="C:\Program Files\Advanced Woman Calendar\WomanCalendar.exe" [2008-05-25 19:41 437360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-26 18:04 180269]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [2006-07-14 17:18 65536]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2006-07-14 17:24 172032]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2006-09-06 19:15 380928]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 01:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-01 01:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 01:00 455168]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 22:59 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 09:57 90112]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"ATIPTA"="atiptaxx.exe" [2005-11-23 09:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2006-11-29 02:55 65536 C:\WINDOWS\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\Documents and Settings\\Kina\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 DeepFrz;DeepFrz;C:\WINDOWS\system32\drivers\DeepFrz.sys [2006-11-29 02:57]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\atitray.sys [2006-01-25 03:32]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-09-08 16:04]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-09-06 19:17]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-08-01 07:49]
R3 aapltctp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2006-08-23 17:04]
R3 filter;filter;C:\WINDOWS\system32\DRIVERS\filter.sys [2006-03-08 10:03]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys [2008-01-04 20:34]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDisk Driver.sys [2006-04-11 08:30]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter;C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 13:47]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 08:11]
S3 realf;RealFlight Service;C:\WINDOWS\system32\DRIVERS\realf.sys []
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys [2007-04-03 12:57]
S3 usbu2a;UsbU2A;C:\WINDOWS\system32\Drivers\usbu2a.sys [2001-08-30 17:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{44f4f5de-85b6-11dc-8dd0-0014515ab700}]
\Shell\AutoRun\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 12:52:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\LogonDll.dll
.
Completion time: 2008-08-05 12:53:06
ComboFix-quarantined-files.txt 2008-08-05 04:53:04
ComboFix4.txt 2008-07-29 11:30:04
ComboFix3.txt 2008-08-01 14:33:08
ComboFix5.txt 2008-08-05 04:51:04
ComboFix2.txt 2008-08-03 01:41:50

Pre-Run: 816,791,552 bytes free
Post-Run: 812,105,728 bytes free

139 --- E O F --- 2007-11-28 04:26:07

**noahdfear** · 6th August 2008

Great! Lets clean up now. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

You can delete Flash_Disinfector.exe as well.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin
The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

An ounce of prevention is worth a pound of cure

Surf safe!