Virus -MemScan:Trojan.Downloader.Mohbpork.A -

Yes, all issues with ie7 have been resolved. So the only issues now that I have remaining is as indicated above.

Bit Defender Support Team recommended to use the system restore and I followed the instructions which were the same as your instructions earlier.

BD did block these Trojan files earlier today with a notice coming up on the screen for each file that it blocked. It also told me that it did not infect my system because of the block but this was the first time I've seen this. The trial version has been on my computer for 7 days now.

 

Hi again TeMerc

Associations to Wareout
From SilentRunners
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "csnbo.exe" [null data]

The random named cs***.exe file

From Hijackthis
Eg...
O17 - HKLM\System\CCS\Services\Tcpip\..\{4004005C-6A51-46E6-B143-D00612DC5610}: NameServer = 85.255.115.98,85.255.112.80
The address to Inhoster

You may of killed the file, just wonder if anything is hiding
Running fixwareout.exe will probably remove any leftovers

F-secure's blbeta.exe with /expert switch should show all files
But probably not needed if Fixwareout is run

Again, there may be leftovers

 

So we are currently left with the following:

Can't say I have heard of the problem with clicking links. I'll have to look into this, to see if it's related to malware, tho off hand I can't recall hearing of it.

'Not responding' prompts could be a number of things. Did the behaviour begin immediately as you became infected, or before, or some time afterward?

Have you run Spybot since and had the same problem?

Let me know.

 

Both those issues have been addressed already, his latest HJT log shows no sign of the 017 lines.

We deleted the file with Killbox too. And I beleive Blacklight showed no results.

 

Because I am so limited with my computer knowledge, I really don't even know when I got infected. I did have a problem this morning with Outlook not responding but I have been in and out of it all day and it hasn't occurred since.

I just tried to run Spybot again and this problem persists.

And I have just run BD again and lo and behold the log follows. Plse keep in mind, I just completed System Restore.


//-----------------------------------------------------------------
//
// Product BitDefender Antivirus Plus v10
// Product 10.0
//
// Created on: 12/11/2006 17:59:38
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 3889
Files : 109170
Memory processes scanned : 42
Archives : 1099
Runtime packers : 3258
Identified viruses : 1
Infected files : 1
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 1
I/O errors : 572
Scan time : 00:19:12
Scan speed (files/sec) : 94

Spyware Statistics

Registry keys scanned : 1603
Registry keys infected : 0
Cookies scanned : 9
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 340339
Scan plugins : 15
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1163368778.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP1\A0000007.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP1\A0000007.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP1\A0000007.exe Moved


The Trojan's name has changed - it used to be called "MemScan ...

Thank You

 

Not that there's anything left behind
More of a doublecheck, Fixwareout.exe should probably be run
It can play tricks on internet connections, but
I didn't see a blacklight log, running blbeta.exe normally may not show anything
I would try it this way

Download and Save BlackLight to the root directory (folder) of your C: drive (C:\blbeta.exe).
F-Secure Blacklight: https://europe.f-secure.com/exclude/blacklight/blbeta.exe
Go to Start > Run, and enter the following command and hit enter:

C:\blbeta /expert

Accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Do NOT choose rename for any items yet! Post the log first, because legitimate items can also be present there...
A log will be created in your C:\ directory with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
Post the contents of the log in your next reply.

 

Thank you for your interest in resolving my problems. Temerc has been very helpful and I feel very comfortable with his analysis.

I'm assuming that your posts are addressed to Temerc, although if this is not the case, I will wait for instructions from him.

Please do not consider this post as not wanting to accept your help. I have a great deal of confidence in Temerc and do not want to have him adjust any plans for my issue as a result of not following his instructions.

Thank you for your interest and please continue to communicate with Temerc on this thread.

 

You can run the blacklight tool as instructed, dc.

 

I am not sure what a root directory is or where I can find it. Please offer step by step instructions for me.

Lighten things up a bit -

A women (with a small chest) is sitting at the kitchen table with her husband,
she says to him that she wants bigger b**bs.

The husband says," That's easy, just go in the bathroom, grab some toilet tissue and rub them between your b**bs.

Mom says, " How is that going to work - that's crazy! "

Husband says," I really don't know but it sure as heck worked on your A**.

 

The root directory in this case would be your 'C' drive.

 

Blacklight log

plse find below the log as requested.

11/12/06 21:14:34 [Info]: BlackLight Engine 1.0.47 initialized
11/12/06 21:14:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/12/06 21:14:34 [Note]: 7019 4
11/12/06 21:14:34 [Note]: 7005 0
11/12/06 21:14:48 [Note]: 7006 0
11/12/06 21:14:48 [Note]: 7022 0
11/12/06 21:14:49 [Note]: 7011 1252
11/12/06 21:14:49 [Note]: 7026 0
11/12/06 21:14:49 [Note]: 7026 0
11/12/06 21:14:49 [Note]: FSRAW library version 1.7.1020
11/12/06 21:16:08 [Info]: Hidden file: c:\WINDOWS\system32\cswnm.exe
11/12/06 21:16:08 [Note]: 7002 32
11/12/06 21:16:08 [Note]: 7003 1
11/12/06 21:16:08 [Note]: 10002 1
11/12/06 21:17:15 [Note]: 7007 0

 

Can you please do the following
Strike that last part

Not to interfere, This is what I would do below, but of course, get verification
Take note of the following settings
Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP)


After you take note of the above settings
Please do the following, as you are still infected with a Wareout infection
Download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop

Double click on Fixwareout.exe and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
Allow access thru your firewall if prompted
You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text will open (report.txt)

Please post report.txt along with a fresh hijackthis log please

EDIT>>By the way, thanks for the joke of the day :0)

 

I agree with indmusic post, please run instructions as presented.

 

New Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7:02:20 PM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142097753734
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us14/n.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

 

report - fixwareout

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSPPR.EXE 51,714 2006-09-26

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

 

New Home Page

I seem to also be having problems with my CD/DVD Drive. Whenever I try to use it a message comes up and says D: Not accessable.

Also my Home page has been changed back to MSN - is this a result of some of the previous scans?

Thanks to you both.

 

Is this new with the DVD drive or has it been ongoing?

The reset of the homepage is likely a result of the tools run. I have not used the Wareout fix enough to recall or say for sure. Change it to your liking.

Lets run Blacklight again, but this time, follow the instructions for 'renaming' the found file.

The tool will ask if you want to reboot, select yes.
Check if the above file is in the system32 folder.

It will have a 'ren' after it most likely and then you can delete it.

Then reboot and run the tool yet again, to verify its deletion.

Then download the Killbox.
Save it to the desktop and run it.

Select "Delete on Reboot ", and then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Windows\system32\csnbo.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot the system, run Silent Runners again and post the log, then let me know if the other file has been flagged by Blackight and you deleted it sucessfully.

 

Logs as requested

11/14/06 09:56:43 [Info]: BlackLight Engine 1.0.47 initialized
11/14/06 09:56:43 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/14/06 09:56:43 [Note]: 7019 4
11/14/06 09:56:43 [Note]: 7005 0
11/14/06 09:57:29 [Note]: 7007 0


Ran Silentrunners - Log as requested

"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"PowerBar" = "(empty string)" [file not found]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IntelAudioStudio" = " "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT" [ "Intel Corporation"]
"IAAnotif" = "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [ "Intel Corporation"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" [ "Ahead Software Gmbh"]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" [ "Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" [ "Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" [ "Intel Corporation"]
"SigmatelSysTrayApp" = "sttray.exe" [file not found]
"RemoteControl" = " "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" " [ "Cyberlink Corp."]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" [ "Nero AG"]
"LGODDFU" = " "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun" [null data]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ "Hewlett-Packard Development Company, L.P."]
"Motive SmartBridge" = "C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe" [ "Motive Communications, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ "Sun Microsystems, Inc."]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"Freedom" = "C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" [ "Zero-Knowledge Systems Inc."]
"BDMCon" = " "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg" [ "SOFTWIN S.R.L."]
"BDAgent" = " "C:\Program Files\Softwin\BitDefender10\bdagent.exe" " [ "SOFTWIN S.R.L."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax "
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider "
\StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO "
-> {HKLM...CLSID} = "PopKill Class "
\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\pkR.dll" [ "Zero-Knowledge Systems Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{56071E0D-C61B-11D3-B41C-00E02927A304}\(Default) = "Form Filler BHO "
-> {HKLM...CLSID} = "ZKBho Class "
\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll" [ "Zero-Knowledge Systems Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW "
-> {HKLM...CLSID} = "Shell Extension for CDRW "
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" [ "Nero AG"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8 "
-> {HKLM...CLSID} = "BDMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender10\bdshelxt.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "
-> {HKLM...CLSID} = "WPDShServiceObj Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "sockspy.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" [ "Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B} "
-> {HKLM...CLSID} = "BDMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender10\bdshelxt.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\sspipes.scr" [MS]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" [ "Hewlett-Packard Development Company, L.P."]
"Net Assistant" -> shortcut to: "C:\Program Files\Aliant\Net Assistant\bin\matcli.exe -boot" [ "Motive Communications, Inc."]


Enabled Scheduled Tasks:
------------------------

"Ad-Aware SE Personal" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" [file not found]
"AVG Free Control Center" -> launches: "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [file not found]
"CCleaner" -> launches: "C:\PROGRA~1\CCleaner\ccleaner.exe" [ "Piriform Ltd"]
"CleanUp!" -> launches: "C:\PROGRA~1\CleanUp!\Cleanup.exe" [ "Steven R. Gould"]
"Spybot - Search & Destroy" -> launches: "C:\PROGRA~1\SPYBOT~1\SpybotSD.exe" [ "Safer Networking Limited"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "
-> {HKCU...CLSID} = "Java Plug-in "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" [ "Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8 "
"Exec" = "%windir%\bdoscandel.exe" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001 "
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

BitDefender Communicator, XCOMM, " "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" [ "Softwin"]
BitDefender Desktop Update Service, LIVESRV, " "C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service" [ "SOFTWIN S.R.L."]
BitDefender Scan Server, bdss, " "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
BitDefender Virus Shield, VSSERV, " "C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service" [ "SOFTWIN S.R.L."]
DvpApi, dvpapi, " "C:\Program Files\Common Files\Command Software\dvpapi.exe" " [ "Command Software Systems, Inc."]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" [ "Nero AG"]
Intel(R) Matrix Storage Event Monitor, IAANTMon, "C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe" [ "Intel Corporation"]
SigmaTel Audio Service, STacSV, "C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe" [ "SigmaTel, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" [ "Hewlett Packard"]
Language Monitor\Driver = "hpz3l054.dll" [ "Hewlett-Packard Company"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 96 seconds, including 55 seconds for message boxes)


There were no files found with Blacklight.

(still having "click problems ")

I think the DVD drive problem has occurred since I have been in contact here, however, I am really not sure. It is rare that I use it.

PS ( you may be hearing from a friend who has encountered some problems)


Thanks

 

New BD Log

I don't even know if this means anything to you, but this trojan keeps showing up - plse note - it is now in the system32 path. It was never there before at was always system restore - anyways - have a look, tell me what you think.


//-----------------------------------------------------------------
//
// Product BitDefender Antivirus Plus v10
// Product 10.0
//
// Created on: 14/11/2006 12:29:46
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 4455
Files : 148018
Memory processes scanned : 20
Archives : 1435
Runtime packers : 5908
Identified viruses : 1
Infected files : 1
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 1
I/O errors : 583
Scan time : 00:25:21
Scan speed (files/sec) : 97

Spyware Statistics

Registry keys scanned : 1603
Registry keys infected : 0
Cookies scanned : 0
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 342455
Scan plugins : 15
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1163521786.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\WINDOWS\system32\csppr.exe Infected: Trojan.Downloader.Mohbpork.A
C:\WINDOWS\system32\csppr.exe Disinfection failed
C:\WINDOWS\system32\csppr.exe Moved




One thing I should tell you, after reading some other posts, I have 4 other users on this computer, each of my three sons and a guest user.

 

Yes, that was a result of running FixWareout


Here's part of the output of the fiwwareout report

Code:

Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSPPR.EXE 51,714 2006-09-26 

Usually a good idea to scan the file, but as BitDefender pointed out, it's a bad guy
Can you ensure the file is gone from System32 folder
If not, delete it, if it won't delete
You can use TeMerc's instructions with Killbox
with this path to the file name

C:\WINDOWS\system32\csppr.exe

I doubt it's related to any infection, usually associated with incompatibilities with XP and programs such as Roxio and/or InCD
Which you have the latter

If you open MyComputer, do you see your DVD drive present?
Can you right click On the "MyComputer" icon
Left click "Properties "

Open the Hardware tab>>Device Manager
Expand(+) next to DVD/CD Rom Drives

Double click on your drive
Under Device Status, is there an error code?

Suggestion: Excluding the Guest account, it may be a good idea to post a Hijackthis log from other users
Label them, eg...You are user1, >>User 2>>User 3