Infostealer and Infostealer.Gamepass

New Combofix log

Hey Geri

Thank you for writing up the new fix. Here's the Combofix log you requested:

ComboFix 08-06-09.7 - Yi Quan 2008-06-15 17:24:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1460 [GMT -4:00]
Running from: C:\Documents and Settings\Yi Quan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yi Quan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\66208e00bd13e962.dat
C:\9ac93798b98b8595.dat
C:\ac6cc34072b93995.dat
C:\c528b574eb7bee44.dat
C:\c7d41980ca75b438.dat
C:\d2e49fc0d8a8f197.dat
C:\d5a0822459b4de2e.dat
C:\d98823800af1b66a.dat
C:\f233975c18d20f87.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_66208E00BD13E962
-------\Legacy_9AC93798B98B8595
-------\Legacy_AC6CC34072B93995
-------\Legacy_C528B574EB7BEE44
-------\Legacy_C7D41980CA75B438
-------\Legacy_D2E49FC0D8A8F197
-------\Legacy_D5A0822459B4DE2E
-------\Legacy_D98823800AF1B66A
-------\Legacy_F233975C18D20F87


((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 17:02 . 2008-06-14 17:03 <DIR> d-------- C:\Program Files\ERUNT
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 22:03 . 2008-06-04 22:03 <DIR> d-------- C:\Deckard
2008-06-04 14:21 . 2007-11-03 12:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-02 21:53 . 2008-06-02 21:54 94,383,892 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-05-15 23:04 . 2008-05-15 23:04 <DIR> d-------- C:\Program Files\Common Files\Thunder Network
2008-05-15 23:04 . 2008-06-01 13:49 26 --a------ C:\WINDOWS\system32\xlhcc.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 21:27 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-10 02:15 --------- d-----w C:\Program Files\eMule
2008-06-05 20:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 20:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-01 20:06 --------- d-----w C:\Program Files\PPStream
2008-06-01 20:06 --------- d-----w C:\Documents and Settings\Yi Quan\Application Data\ppstream
2008-06-01 17:52 --------- d-----w C:\Program Files\MSN Messenger
2008-05-21 02:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-13 00:09 --------- d-----w C:\Program Files\MINITAB 14 Student
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-23 18:06 --------- d-----w C:\Program Files\Neuro
2008-04-10 14:08 152 ----a-w C:\Documents and Settings\Yi Quan\Application Data\wklnhst.dat
2006-10-19 22:55 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-05-25 23:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 21:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 23:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 06:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-13_17.20.18.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 16:44:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 21:28:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\14-06-2008\ERDNT.EXE
+ 2008-06-14 21:05:19 7,041,024 ----a-w C:\WINDOWS\ERDNT\14-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-14 21:05:19 274,432 ----a-w C:\WINDOWS\ERDNT\14-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\ERDNT.EXE
+ 2008-06-15 15:07:44 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-15 15:07:45 274,432 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37AC9076-C898-B098-D098-A18319080973}]
C:\WINDOWS\system32\nhmxcjkl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

C:\Documents and Settings\Yi Quan\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-08-27 08:05:24 504832]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 14:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapcb "= {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "\ "logonui.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV "= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=

R3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]
S0 1444546;1444546;C:\WINDOWS\system32\drivers\1444546.sys []
S0 ADProt;ADProt;C:\WINDOWS\system32\drivers\ADProt.sys []
S3 NPF111;WinPcap Packet Driver (NPF111);C:\WINDOWS\system32\drivers\NPF111.sys [2000-06-08 09:59]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2008b6a-4cbf-11db-b52d-0013029e341b}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 23:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-15 21:32:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 17:28:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-15 17:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 21:35:15
ComboFix2.txt 2008-06-14 13:23:41
ComboFix3.txt 2008-06-13 21:21:03
ComboFix4.txt 2008-06-10 00:48:54

Pre-Run: 18,251,317,248 bytes free
Post-Run: 18,240,036,864 bytes free

173 --- E O F --- 2008-06-14 14:02:38

 

New HJT log

and here's a fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:06 PM, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157852031890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157852025406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} (KooPlayer Control) - http://zhibo.cctv.com/video_player/img/CCTVKooPlayer.ocx
O21 - SSODL: midimapcb - {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7433 bytes

 

Hi EmmaQ
Ok That is much better. Are things running OK?

Now do this.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: nhmxcjkl.dll - {37AC9076-C898-B098-D098-A18319080973} - C:\WINDOWS\system32\nhmxcjkl.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

We need to update your Java.

To update your Java. Using Add/Remove Programs in the Control Panel, remove all Java and/or JRE installations. Reboot when done. Then, go to Sun and download then install the Java Runtime Environment (JRE) 6 Update *.
* = The Latest version available.

Now do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Kapersky Scan

Hey Geri

Thanks again for helping me. My computer is working great however, Kapersky scan came up with 9 infected items:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 00:58:11
Records in database: 870168
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 84542
Threat name: 7
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:55:05


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\z20.exe.bac_a00372 Infected: Trojan-PSW.Win32.OnLineGames.alpg 1
C:\Documents and Settings\Administrator\Local Settings\Temp\z33.exe Infected: Trojan-Downloader.Win32.Small.wyd 1
C:\Program Files\TDdownload\__QQ 2006 Beta3.exe Infected: Trojan-Spy.Win32.Qeds.g 1
C:\WINDOWS\system32\dueoduxz.dll Infected: Trojan.Win32.BHO.hh 1
C:\WINDOWS\system32\dxdugvqhk.exe Infected: Trojan.Win32.BHO.hh 1
C:\WINDOWS\system32\dxdugvqhk.exe.tmp Infected: Trojan.Win32.BHO.hh 1
C:\WINDOWS\system32\qscxaiwhs.exe Infected: Trojan-Downloader.Win32.BHO.k 1
C:\WINDOWS\system32\tohwstazp.dll Infected: not-a-virus:AdWare.Win32.Agent.sx 1
C:\WINDOWS\system32\tohwstazs.exe Infected: not-a-virus:AdWare.Win32.Agent.aer 1

The selected area was scanned.

 

Hi EmmaQ

OK Please do this.

Go into the housecall6.6 Quarantine folder and delete everything in there.

Go to this Temp folder open it, and delete everything in it.

C:\Documents and Settings\Administrator\Local Settings\Temp


Now do this.
Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\Program Files\TDdownload\__QQ 2006 Beta3.exe 
C:\WINDOWS\system32\dueoduxz.dll 
C:\WINDOWS\system32\dxdugvqhk.exe 
C:\WINDOWS\system32\dxdugvqhk.exe.tmp
C:\WINDOWS\system32\qscxaiwhs.exe
C:\WINDOWS\system32\tohwstazp.dll 
C:\WINDOWS\system32\tohwstazs.exe 

Please post the Combofix log and a new Kaspersky scan.

Thanks
Geri

 

Kaspersky results

Hey Geri

Here are the newest Combofix log and Kaspersky result. The Kaspersky scan showed some infections; should I just delete those files?

Combofix

ComboFix 08-06-09.7 - Yi Quan 2008-06-16 13:39:32.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1370 [GMT -4:00]
Running from: C:\Documents and Settings\Yi Quan\Desktop\Security\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yi Quan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\TDdownload\__QQ 2006 Beta3.exe
C:\WINDOWS\system32\dueoduxz.dll
C:\WINDOWS\system32\dxdugvqhk.exe
C:\WINDOWS\system32\dxdugvqhk.exe.tmp
C:\WINDOWS\system32\qscxaiwhs.exe
C:\WINDOWS\system32\tohwstazp.dll
C:\WINDOWS\system32\tohwstazs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\TDdownload\__QQ 2006 Beta3.exe
C:\WINDOWS\system32\dueoduxz.dll
C:\WINDOWS\system32\dxdugvqhk.exe
C:\WINDOWS\system32\dxdugvqhk.exe.tmp
C:\WINDOWS\system32\qscxaiwhs.exe
C:\WINDOWS\system32\tohwstazp.dll
C:\WINDOWS\system32\tohwstazs.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 21:24 . 2008-06-15 21:24 <DIR> d-------- C:\Program Files\Sun
2008-06-15 21:24 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-14 17:02 . 2008-06-14 17:03 <DIR> d-------- C:\Program Files\ERUNT
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 22:03 . 2008-06-04 22:03 <DIR> d-------- C:\Deckard
2008-06-04 14:21 . 2007-11-03 12:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-02 21:53 . 2008-06-02 21:54 94,383,892 --a------ C:\SYM_REGISTRY_BACKUP.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 17:40 --------- d-----w C:\Program Files\TDdownload
2008-06-16 02:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-16 01:24 --------- d-----w C:\Program Files\Java
2008-06-10 02:15 --------- d-----w C:\Program Files\eMule
2008-06-05 20:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 20:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-01 20:06 --------- d-----w C:\Program Files\PPStream
2008-06-01 20:06 --------- d-----w C:\Documents and Settings\Yi Quan\Application Data\ppstream
2008-06-01 17:52 --------- d-----w C:\Program Files\MSN Messenger
2008-05-21 02:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-16 03:04 --------- d-----w C:\Program Files\Common Files\Thunder Network
2008-05-13 00:09 --------- d-----w C:\Program Files\MINITAB 14 Student
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-23 18:06 --------- d-----w C:\Program Files\Neuro
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-10 14:08 152 ----a-w C:\Documents and Settings\Yi Quan\Application Data\wklnhst.dat
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-10-19 22:55 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-05-25 23:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 21:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 23:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 06:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-13_17.20.18.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 16:44:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 01:28:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\14-06-2008\ERDNT.EXE
+ 2008-06-14 21:05:19 7,041,024 ----a-w C:\WINDOWS\ERDNT\14-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-14 21:05:19 274,432 ----a-w C:\WINDOWS\ERDNT\14-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\ERDNT.EXE
+ 2008-06-15 15:07:44 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-15 15:07:45 274,432 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\ERDNT.EXE
+ 2008-06-15 21:31:55 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\Users\00000001\NTUSER.DAT
+ 2008-06-15 21:31:56 274,432 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\Users\00000002\UsrClass.dat
- 2006-09-08 21:26:16 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-06-16 01:12:31 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

C:\Documents and Settings\Yi Quan\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-08-27 08:05:24 504832]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 14:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapcb "= {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "\ "logonui.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV "= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=

R3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]
S0 1444546;1444546;C:\WINDOWS\system32\drivers\1444546.sys []
S0 ADProt;ADProt;C:\WINDOWS\system32\drivers\ADProt.sys []
S3 NPF111;WinPcap Packet Driver (NPF111);C:\WINDOWS\system32\drivers\NPF111.sys [2000-06-08 09:59]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2008b6a-4cbf-11db-b52d-0013029e341b}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 23:20:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 14:01:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 13:42:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-16 13:44:32
ComboFix-quarantined-files.txt 2008-06-16 17:43:46
ComboFix2.txt 2008-06-15 21:35:22
ComboFix3.txt 2008-06-14 13:23:41
ComboFix4.txt 2008-06-13 21:21:03
ComboFix5.txt 2008-06-10 00:48:54

Pre-Run: 18,108,960,768 bytes free
Post-Run: 18,154,381,312 bytes free

177 --- E O F --- 2008-06-14 14:02:38




KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 17, 2008 01:01:58
Records in database: 875191
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 87455
Threat name: 5
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 01:55:15


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\Program Files\TDdownload\__QQ 2006 Beta3.exe.vir Infected: Trojan-Spy.Win32.Qeds.g 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dueoduxz.dll.vir Infected: Trojan.Win32.BHO.hh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dxdugvqhk.exe.tmp.vir Infected: Trojan.Win32.BHO.hh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dxdugvqhk.exe.vir Infected: Trojan.Win32.BHO.hh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\qscxaiwhs.exe.vir Infected: Trojan-Downloader.Win32.BHO.k 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tohwstazp.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.sx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tohwstazs.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.aer 1

The selected area was scanned.

 

Hi EmmaQ
Those are in the Combofix back ups, we'll get rid of them shortly.

There are still a couple things to get rid of here.

Your flash drive(s), thumb drive(s), USB drive(s) are infected.

So please do this,

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}]

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

If you have any Flash drives (USB thumb drives) plug them in before doing this.

• Double-click Flash_Disinfector.exe to run it.
  Follow any prompts that may appear.
  Your desktop will vanish for a while, and then reappear. This is normal.
  Wait until the program has finished scanning, then please exit the program.

Empty this folder:

C:\WINDOWS\temp

Please post the CF log.

Thanks
Geri

 

Hey Geri

I apologize for the late reply. Here's the newest Combofix log:

ComboFix 08-06-09.7 - Yi Quan 2008-06-19 17:25:40.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1458 [GMT -4:00]
Running from: C:\Documents and Settings\Yi Quan\Desktop\Security\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yi Quan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Yi Quan\Application Data\macromedia\Flash Player\#SharedObjects\XYLUAKPD\www.inter-focus.cn
C:\Documents and Settings\Yi Quan\Application Data\macromedia\Flash Player\#SharedObjects\XYLUAKPD\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\Yi Quan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Yi Quan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-15 21:24 . 2008-06-15 21:24 <DIR> d-------- C:\Program Files\Sun
2008-06-15 21:24 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-14 17:02 . 2008-06-14 17:03 <DIR> d-------- C:\Program Files\ERUNT
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 22:03 . 2008-06-04 22:03 <DIR> d-------- C:\Deckard
2008-06-04 14:21 . 2007-11-03 12:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-02 21:53 . 2008-06-02 21:54 94,383,892 --a------ C:\SYM_REGISTRY_BACKUP.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 21:28 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-16 17:40 --------- d-----w C:\Program Files\TDdownload
2008-06-16 01:24 --------- d-----w C:\Program Files\Java
2008-06-10 02:15 --------- d-----w C:\Program Files\eMule
2008-06-05 20:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 20:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-01 20:06 --------- d-----w C:\Program Files\PPStream
2008-06-01 20:06 --------- d-----w C:\Documents and Settings\Yi Quan\Application Data\ppstream
2008-06-01 17:52 --------- d-----w C:\Program Files\MSN Messenger
2008-05-21 02:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-16 03:04 --------- d-----w C:\Program Files\Common Files\Thunder Network
2008-05-13 00:09 --------- d-----w C:\Program Files\MINITAB 14 Student
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-23 18:06 --------- d-----w C:\Program Files\Neuro
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-10 14:08 152 ----a-w C:\Documents and Settings\Yi Quan\Application Data\wklnhst.dat
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-10-19 22:55 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-05-25 23:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 21:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 23:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 06:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-13_17.20.18.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 16:44:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 21:29:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\14-06-2008\ERDNT.EXE
+ 2008-06-14 21:05:19 7,041,024 ----a-w C:\WINDOWS\ERDNT\14-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-14 21:05:19 274,432 ----a-w C:\WINDOWS\ERDNT\14-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\ERDNT.EXE
+ 2008-06-15 15:07:44 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-15 15:07:45 274,432 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\18-06-2008\ERDNT.EXE
+ 2008-06-18 11:56:34 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\18-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-18 11:56:35 278,528 ----a-w C:\WINDOWS\ERDNT\AutoBackup\18-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-06-2008\ERDNT.EXE
+ 2008-06-19 10:53:52 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-19 10:53:53 278,528 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\ERDNT.EXE
+ 2008-06-15 21:31:55 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\Users\00000001\NTUSER.DAT
+ 2008-06-15 21:31:56 274,432 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\Users\00000002\UsrClass.dat
- 2006-09-08 21:26:16 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-06-16 01:12:31 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

C:\Documents and Settings\Yi Quan\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-08-27 08:05:24 504832]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 14:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapcb "= {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "\ "logonui.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV "= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=

R3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]
S0 1444546;1444546;C:\WINDOWS\system32\drivers\1444546.sys []
S0 ADProt;ADProt;C:\WINDOWS\system32\drivers\ADProt.sys []
S3 NPF111;WinPcap Packet Driver (NPF111);C:\WINDOWS\system32\drivers\NPF111.sys [2000-06-08 09:59]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2008b6a-4cbf-11db-b52d-0013029e341b}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 23:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-19 21:32:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 17:29:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-19 17:36:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 21:36:13
ComboFix2.txt 2008-06-16 17:44:32
ComboFix3.txt 2008-06-15 21:35:22
ComboFix4.txt 2008-06-14 13:23:41
ComboFix5.txt 2008-06-13 21:21:03

Pre-Run: 17,904,316,416 bytes free
Post-Run: 17,878,188,032 bytes free

188 --- E O F --- 2008-06-17 22:30:04

 

newest HJT log

and here's a fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:16 PM, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: D??￠?ì?÷ - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q306&bd=pavilion&pf=laptop
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157852031890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157852025406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} (KooPlayer Control) - http://zhibo.cctv.com/video_player/img/CCTVKooPlayer.ocx
O21 - SSODL: midimapcb - {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7461 bytes


Thank you so much for your help. What shall I do next?

 

Hi EmmaQ
Please do this.

Click on Start > Run Type in cmd in the run box and click OK.

In the command window that opens copy and paste the contents of the code box below into the windows and hit Enter.

Code:

@echo off
cd desktop
reg add HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\Fdummy
reg save HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\Fdummy dummy1.hiv
reg restore HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\F dummy1.hiv
reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\F /f
reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\Fdummy /f
reg add HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}dummy
reg save HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}dummy dummy2.hiv
reg restore HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808} dummy2.hiv
reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808} /f
reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}dummy /f
reg query HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\F>>dummy.txt
reg query HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb78f10b-382f-11d4-b7c4-001a708fd808}>>dummy.txt
del /q dummy*.hiv
start notepad dummy.txt
exit
cls

Notepad will open on your Desktop copy and paste the contents of it in your next reply.


Now we need to run a CFScript again.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Driver::
1444546
ADProt

Please post the CF log and the contents of the dummy.txt file.

Thanks
Geri

 

dummy log and CF log

Hey Geri

The dummy.txt came out blank. Here's the newest Combofix log:

ComboFix 08-06-09.7 - Yi Quan 2008-06-20 11:15:37.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1434 [GMT -4:00]
Running from: C:\Documents and Settings\Yi Quan\Desktop\Security\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yi Quan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_1444546
-------\Legacy_ADPROT
-------\Service_1444546
-------\Service_ADProt


((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-19 18:10 . 2008-05-22 18:22 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-06-19 18:10 . 2008-05-22 18:22 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-06-19 18:10 . 2008-05-22 18:22 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-06-19 18:10 . 2008-05-22 18:22 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-19 18:10 . 2008-05-22 18:22 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-15 21:24 . 2008-06-15 21:24 <DIR> d-------- C:\Program Files\Sun
2008-06-15 21:24 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-14 17:02 . 2008-06-14 17:03 <DIR> d-------- C:\Program Files\ERUNT
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 18:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-04 22:03 . 2008-06-04 22:03 <DIR> d-------- C:\Deckard
2008-06-04 14:21 . 2007-11-03 12:08 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-22 18:22 . 2008-05-22 18:22 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 18:22 . 2008-05-22 18:22 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-22 18:22 . 2008-05-22 18:22 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-22 18:20 . 2008-05-22 18:20 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-22 18:20 . 2008-05-22 18:20 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-22 18:19 . 2008-05-22 18:19 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-22 18:19 . 2008-05-22 18:19 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-05-22 18:19 . 2008-05-22 18:19 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 18:19 . 2008-05-22 18:19 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-05-22 18:19 . 2008-05-22 18:19 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-05-22 18:19 . 2008-05-22 18:19 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-05-22 18:18 . 2008-05-22 18:18 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 15:19 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-19 22:11 --------- d-----w C:\Program Files\DivX
2008-06-16 17:40 --------- d-----w C:\Program Files\TDdownload
2008-06-16 01:24 --------- d-----w C:\Program Files\Java
2008-06-10 02:15 --------- d-----w C:\Program Files\eMule
2008-06-05 20:04 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 20:04 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-01 20:06 --------- d-----w C:\Program Files\PPStream
2008-06-01 20:06 --------- d-----w C:\Documents and Settings\Yi Quan\Application Data\ppstream
2008-06-01 17:52 --------- d-----w C:\Program Files\MSN Messenger
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-21 02:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-16 03:04 --------- d-----w C:\Program Files\Common Files\Thunder Network
2008-05-13 00:09 --------- d-----w C:\Program Files\MINITAB 14 Student
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-30 12:31 --------- d-----w C:\Program Files\Common Files\Real
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-23 18:06 --------- d-----w C:\Program Files\Neuro
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-10 14:08 152 ----a-w C:\Documents and Settings\Yi Quan\Application Data\wklnhst.dat
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2006-10-19 22:55 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-05-25 23:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 21:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 17:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 23:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 06:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 45265cbad25c6254afafc7bdd88bdb4b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-13_17.20.18.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 16:44:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 15:20:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\14-06-2008\ERDNT.EXE
+ 2008-06-14 21:05:19 7,041,024 ----a-w C:\WINDOWS\ERDNT\14-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-14 21:05:19 274,432 ----a-w C:\WINDOWS\ERDNT\14-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\ERDNT.EXE
+ 2008-06-15 15:07:44 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-15 15:07:45 274,432 ----a-w C:\WINDOWS\ERDNT\AutoBackup\15-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\18-06-2008\ERDNT.EXE
+ 2008-06-18 11:56:34 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\18-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-18 11:56:35 278,528 ----a-w C:\WINDOWS\ERDNT\AutoBackup\18-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-06-2008\ERDNT.EXE
+ 2008-06-19 10:53:52 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-19 10:53:53 278,528 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\20-06-2008\ERDNT.EXE
+ 2008-06-20 11:45:22 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\20-06-2008\Users\00000001\NTUSER.DAT
+ 2008-06-20 11:45:22 278,528 ----a-w C:\WINDOWS\ERDNT\AutoBackup\20-06-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\ERDNT.EXE
+ 2008-06-15 21:31:55 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\Users\00000001\NTUSER.DAT
+ 2008-06-15 21:31:56 274,432 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-15\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-19\ERDNT.EXE
+ 2008-06-19 21:31:17 7,041,024 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-19\Users\00000001\NTUSER.DAT
+ 2008-06-19 21:31:18 278,528 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-06-19\Users\00000002\UsrClass.dat
- 2006-09-08 21:26:16 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-06-16 01:12:31 262,144 ---ha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-05-22 22:22:14 66,296 ------w C:\WINDOWS\system32\pxcpya64.exe
+ 2008-05-22 22:22:16 72,440 ------w C:\WINDOWS\system32\pxhpinst.exe
+ 2008-05-22 22:22:14 64,760 ------w C:\WINDOWS\system32\pxinsa64.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 20:48 434528]

C:\Documents and Settings\Yi Quan\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-08-27 08:05:24 504832]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 14:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"midimapcb "= {4F4F0064-71E0-4f0d-0006-708476C7815F} - C:\WINDOWS\system32\midimapcb.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "\ "logonui.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV "= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\network diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Internet Explorer\\iexplore.exe "=

R3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]
S3 NPF111;WinPcap Packet Driver (NPF111);C:\WINDOWS\system32\drivers\NPF111.sys [2000-06-08 09:59]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2008b6a-4cbf-11db-b52d-0013029e341b}]
\Shell\AutoRun\command - H:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 23:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-20 15:24:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 11:21:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-06-20 11:27:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 15:27:19
ComboFix2.txt 2008-06-19 21:36:17
ComboFix3.txt 2008-06-16 17:44:32
ComboFix4.txt 2008-06-15 21:35:22
ComboFix5.txt 2008-06-14 13:23:41

Pre-Run: 17,683,865,600 bytes free
Post-Run: 17,644,077,056 bytes free

221 --- E O F --- 2008-06-20 11:52:34

 

Hi EmmaQ

OK good.
You can delete the dummy.txt file.

Now do this.

Open "Notepad†Copy the contents of the code box below to the blank Notepad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: fix.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "fix.reg file" and let it merge with the registry.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "midimapcb "=-

Now lets get a on-line scan.


Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please post the Panda Results.

Thanks
Geri

 

Panda results

Hey Geri

Here are the Panda results:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-20 20:03:47
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec AntiVirus Corporate Edition 10.1.5.5000 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\yi quan\favorites\health
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Yi Quan\Application Data\Netscape\NSB\Profiles\08mfb0u7.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Yi Quan\Application Data\Netscape\NSB\Profiles\08mfb0u7.default\cookies.txt[.atdmt.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Yi Quan\Application Data\Netscape\NSB\Profiles\08mfb0u7.default\cookies.txt[.247realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Yi Quan\Application Data\Netscape\NSB\Profiles\08mfb0u7.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Yi Quan\Application Data\Netscape\NSB\Profiles\08mfb0u7.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Yi Quan\Cookies\yi_quan@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Yi Quan\Application Data\Netscape\NSB\Profiles\08mfb0u7.default\cookies.txt[.realmedia.com/]
00302996 Adware/BaiduBar Adware No 0 Yes No C:\WINDOWS\Installer\2958b0c.msi[unk_0053]
00340367 Trj/QQpass.NB Virus/Trojan No 1 No No C:\QooBox\Quarantine\C\Program Files\TDdownload\__QQ 2006 Beta3.exe.vir[QQexternal.exe]
00340367 Trj/QQpass.NB Virus/Trojan No 1 No No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP667\A0052275.exe[QQexternal.exe]
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Yi Quan\Desktop\Flash_Disinfector.exe[nircmd.exe]
01017425 Generic Trojan Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\socul.dll.vir
01017425 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP653\A0051489.dll
01017516 Generic Malware Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\comploader.dll.vir
01017516 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP653\A0051488.dll
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Yi Quan\Desktop\Security\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP673\A0052572.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP653\A0051519.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0052463.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP662\A0051978.EXE
02134598 Adware/Sohu Adware No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP653\A0051490.DLL
02134598 Adware/Sohu Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\SODAHK.DLL.vir
02227681 Generic Malware Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\unsocul.exe.vir
02227681 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP653\A0051491.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP673\A0052560.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP662\A0051968.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP653\A0051506.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0052453.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location

;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description

;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Hi EmmaQ
Ok please do this.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\Installer\2958b0c.msi

You can delete any tools you were asked to download and the files/folders or logs they created, There will be newer versions if ever needed again any way.


Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.


Please delete this

Flash_Disinfector.exe


We need to turn off and on system restore. There are infections in it and by using system restore you would reinfect yourself.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and clicked Next, Under "Type a description for your restore point…â€put a name in the box,. Click Create. In the next window click Close


Now please run ATF Cleaner again and do another Panda scan and post the results.

Thanks
Geri