Computer Security & Viruses/follow up to storage protector

Advertisement

Expert: - 2/8/2008


Question
QUESTION: hi.the system wouldnt allow me to post a follow up so im posting a new question. posted below is the combofix log. id like to tell you that after running combofix i saw a new internet explorer icon on my desktop without the usual shortcut arrow.also it allowed me to delete all my temporary files and the two icons on my desktop.now i have a new problem .everytime i right click on any folder in my computer a windows installer window pops up saying preparing to install. then some scansoft pdf create 3.0 starts installing itself but it doesnt find the install file so it rolls back the action.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:45 AM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Opware15.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Office12\GrooveMonitor.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\QuickTime\QTTask.exe
D:\Program Files\GizmoPlugin\GizmoPlugin.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\OpAgent.exe
D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\Notepad.exe
D:\WINDOWS\system32\Notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.in/0SEENIN/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\SYSTEM32\mobghsfp.dll (file missing)
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - D:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\OpScheduler.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iCall Internet Phone] "D:\Program Files\iCall\iCall.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\OpAgent.exe" /agent
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Office12\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Rapget - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.847\rapget.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: mobghsfp - mobghsfp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - D:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: GoogleDesktopManager - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MNS Framework (MNSFramework) - Unknown owner - D:\WINDOWS\system32\MNSFramework.exe (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - D:\WINDOWS\system32\windows
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: Privacy Protection - file:///D:\WINDOWS\privacy_danger\index.htm

--
End of file - 9077 bytes











ComboFix 08-02.05.3 - Administrator 2008-02-07 23:27:29.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.47 [GMT 5.5:30]
Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\oppop.dll
D:\WINDOWS\system32\pmnomnn.dll
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\WINDOWS\dat.txt
D:\WINDOWS\rs.txt
D:\WINDOWS\system32\aiwuiwih.dll
D:\WINDOWS\system32\aqpktvpw.dll
D:\WINDOWS\system32\bhehvdpo.dll
D:\WINDOWS\system32\dikfolms.ini
D:\WINDOWS\system32\epjxqtfl.dll
D:\WINDOWS\system32\gfoxlgvs.dll
D:\WINDOWS\system32\hgonqqbs.dll
D:\WINDOWS\system32\ibwtsvur.dll
D:\WINDOWS\system32\jbtnibnw.dll
D:\WINDOWS\system32\jfkwviny.ini
D:\WINDOWS\system32\khhwygxp.ini
D:\WINDOWS\system32\lbcmchww.exe
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\mobghsfp.dll
D:\WINDOWS\system32\mobghsfp.dll . . . . failed to delete
D:\WINDOWS\system32\mobghsfp.dllbox
D:\WINDOWS\system32\mwvnpqum.dll
D:\WINDOWS\system32\nosokkad.ini
D:\WINDOWS\system32\npkfmvyt.exe
D:\WINDOWS\system32\oawnjces.dll
D:\WINDOWS\system32\oppop.dll
D:\WINDOWS\system32\pdoqcjhe.exe
D:\WINDOWS\system32\pmnomnn.dll
D:\WINDOWS\system32\pnunlgtv.dll
D:\WINDOWS\system32\poppo.ini
D:\WINDOWS\system32\poppo.ini2
D:\WINDOWS\system32\psjhecly.dll
D:\WINDOWS\system32\pxgekofn.ini
D:\WINDOWS\system32\pxgywhhk.dll
D:\WINDOWS\system32\sehhxwkw.ini
D:\WINDOWS\system32\upqqqimy.exe
D:\WINDOWS\system32\utfclosk.dll
D:\WINDOWS\system32\vdimnmje.ini
D:\WINDOWS\system32\vtglnunp.ini
D:\WINDOWS\system32\windows
D:\WINDOWS\system32\winptc32.dll
D:\WINDOWS\system32\yfeoibkw.exe
D:\WINDOWS\system32\ynivwkfj.dll

----- BITS: Possible infected sites -----

hxxp://www.firstlogin.com
hxxp://onlinesafepro.com
hxxp://onlinj+|C̛v+@J:NGD_DQ{zt һHG.X)vto
hxxp://onlinesafepro
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((   Files Created from 2008-01-07 to 2008-02-07  )))))))))))))))))))))))))))))))
.

2008-02-07 23:40 . 2008-02-07 23:42   19,054   ---hs----   D:\WINDOWS\system32\mobghsfp.dllbox
2008-02-07 23:16 . 2004-08-04 00:56   388,608   --a------   D:\kmd.exe
2008-02-04 10:53 . 2008-02-04 14:31   354   ---hs----   D:\WINDOWS\system32\oenxquvj.ini
2008-01-31 00:48 . 2008-01-31 00:48   <DIR>   d--hs----   D:\FOUND.012
2008-01-30 23:08 . 2008-01-30 23:08   <DIR>   d--------   D:\Program Files\XoftSpySE
2008-01-30 13:32 . 2008-01-30 13:32   <DIR>   d--hs----   D:\FOUND.011
2008-01-29 22:42 . 2008-01-29 22:42   <DIR>   d--hs----   D:\FOUND.010
2008-01-28 11:49 . 2008-01-28 11:49   <DIR>   d--hs----   D:\FOUND.009
2008-01-26 11:27 . 2008-01-26 11:27   <DIR>   d--hs----   D:\FOUND.008
2008-01-25 23:42 . 2008-01-24 09:02   <DIR>   d--------   D:\SDFix
2008-01-25 20:54 . 2008-01-25 20:54   <DIR>   d--------   D:\Documents and Settings\Administrator\Application Data\Snapfish
2008-01-25 11:53 . 2008-01-25 11:53   <DIR>   d--hs----   D:\FOUND.007
2008-01-25 11:25 . 2008-01-25 11:25   <DIR>   d--hs----   D:\FOUND.006
2008-01-24 21:10 . 2008-01-25 18:52   834   ---hs----   D:\WINDOWS\system32\duwwfqew.ini
2008-01-24 21:04 . 2008-02-07 23:36   163,904   ---------   D:\WINDOWS\system32\mobghsfp.dll
2008-01-23 23:56 . 2008-01-23 23:56   <DIR>   d--------   D:\Program Files\Common Files\eSellerate
2008-01-23 21:37 . 2008-02-07 22:56   54,156   --ah-----   D:\WINDOWS\QTFont.qfn
2008-01-23 21:37 . 2008-01-23 21:37   1,409   --a------   D:\WINDOWS\QTFont.for
2008-01-23 21:34 . 2008-01-23 21:34   <DIR>   d--------   D:\Program Files\iTunes
2008-01-23 21:34 . 2008-01-23 21:34   <DIR>   d--------   D:\Program Files\iPod
2008-01-23 21:31 . 2008-01-23 21:31   <DIR>   d--------   D:\Program Files\QuickTime
2008-01-23 21:27 . 2008-01-23 21:27   <DIR>   d--------   D:\Program Files\Common Files\Apple
2008-01-23 21:27 . 2008-01-15 02:39   30,464   --a------   D:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-10 15:27 . 2008-01-10 15:27   90,112   --a------   D:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27   57,344   --a------   D:\WINDOWS\system32\QuickTime.qts

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 18:12   ---------   d-----w   D:\Program Files\Chameleon Clock
2007-12-17 15:21   73,216   ----a-w   D:\WINDOWS\ST6UNST.EXE
2007-12-17 15:21   249,856   ------w   D:\WINDOWS\Setup1.exe
2007-12-12 13:43   ---------   d-----w   D:\Documents and Settings\Administrator\Application Data\TeamViewer
2007-12-09 13:27   ---------   d-----w   D:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 15:29   13   ---h--w   D:\Documents and Settings\All Users\Application Data\113.sys
2007-07-10 00:11   45,224   ----a-w   D:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-05-11 18:06   12,288   ----a-w   D:\WINDOWS\Fonts\RandFont.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-07 23:36   163904   ---------   D:\WINDOWS\SYSTEM32\mobghsfp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a9accfaa-964b-437b-8f9f-b2731441925f}]
        D:\WINDOWS\system32\gfoxlgvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8C5186E-EC37-4889-9C2E-F73649FFB7BB}]
        D:\Program Files\Video ActiveX Access\iesplg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C03372DE-ED54-49F1-AFBF-E505444D41E3}]
        D:\WINDOWS\system32\oppop.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]
"OpAgent"="C:\Program Files\OpAgent.exe" [2005-08-11 13:56 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 01:08 185896]
"SSBkgdUpdate"="D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14 155648]
"Opware15"="C:\Program Files\Opware15.exe" [2005-08-11 13:52 69632]
"OpScheduler"="C:\Program Files\OpScheduler.exe" [ ]
"ISUSPM Startup"="D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"iCall Internet Phone"="D:\Program Files\iCall\iCall.exe" [2007-08-28 14:24 1191936]
"GrooveMonitor"="C:\Program Files\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
BTTray.lnk - D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-11-10 14:14:10 507965]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\[u]0[/u]]
Source= file:///D:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mobghsfp]
mobghsfp.dll 2008-02-07 23:36 163904 D:\WINDOWS\system32\mobghsfp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Prince of Persia Warrior Within.LNK]
path=D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Registration Prince of Persia Warrior Within.LNK
backup=D:\WINDOWS\pss\Registration Prince of Persia Warrior Within.LNKStartup

R3 CLEDX;Team H2O CLEDX service;D:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
S1 HekkoVirtualCD;Hekko Virtual CD Driver;D:\WINDOWS\system32\Drivers\hvcd.sys []
S3 AVer;AVerTV PVR USB/EZMaker Pro USB Device;D:\WINDOWS\system32\DRIVERS\AvEZPRO.sys [2004-06-08 18:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 11:41:42 D:\WINDOWS\Tasks\Norton Security Scan.job"
- D:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 23:42:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> D:\WINDOWS\SYSTEM32\mobghsfp.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\GizmoPlugin\GizmoPlugin.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-07 23:46:12 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt  2008-02-07 18:16:04


ANSWER: Hi Kunal

Please download SmitfraudFix from here:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
   *  Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
   * Double-click SmitfraudFix.exe
   * Select 2 and hit Enter to delete infect files.
   * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
   * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
   * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

After rebooting, send me the log at C:\rapport.txt and a fresh HJT log.

Brian

---------- FOLLOW-UP ----------

QUESTION: hey brian
thanks for the quick reply.
but i have discovered a new set of problems after running smitfraud and combo
1) the right click prob that i described previously
2) after booting the icons in my taskbar wont show up for atleast 5 minutes after booting
3) the icons in my computer take 5 minutes to show up the first time i open my computer
4) my wireless connection wont connect. it says acquiring network address but wont connect. this was not prevailent before running combo

logs

SmitFraudFix v2.283

Scan done at  0:16:07.21, Sat 02/09/2008
Run from D:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1       localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{877FE99B-6893-4FA9-B149-FC862D507BD0}: DhcpNameServer=192.168.1.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{877FE99B-6893-4FA9-B149-FC862D507BD0}: DhcpNameServer=192.168.1.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{877FE99B-6893-4FA9-B149-FC862D507BD0}: DhcpNameServer=192.168.1.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:03 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Opware15.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Office12\GrooveMonitor.exe
D:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\OpAgent.exe
D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\GizmoPlugin\GizmoPlugin.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\SYSTEM32\mobghsfp.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\OpScheduler.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iCall Internet Phone] "D:\Program Files\iCall\iCall.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\OpAgent.exe" /agent
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Office12\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Rapget - D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.847\rapget.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: mobghsfp - mobghsfp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - D:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: GoogleDesktopManager - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MNS Framework (MNSFramework) - Unknown owner - D:\WINDOWS\system32\MNSFramework.exe (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - D:\WINDOWS\system32\windows
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8550 bytes


Answer
Hi Kunal

You have a bad trojan infection.  Once we clean you up things will return to normal.  Please follow the steps below:

Run HJT (scan only) and place a check mark in the box next to the following items, then click the Fix Checked button:

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\SYSTEM32\mobghsfp.dll (file missing)
  O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
  O20 - Winlogon Notify: mobghsfp - mobghsfp.dll (file missing)
  O23 - Service: MNS Framework (MNSFramework) - Unknown owner - D:\WINDOWS\system32\MNSFramework.exe (file missing)
  O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - D:\WINDOWS\system32\windows

Next, close HJT and please run ComboFix again following these instructions:

1. Disconnect from the internet.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, along with all other programs including your browser.
3. Double click on ComboFix.exe & follow the prompts.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

After ComboFix is finished, reconnect to the internet and go here:
http://www.eset.com/onlinescan/
Click on this ESET Online Scannner to begin the process.

   * Check the box next to YES, I accept the Terms of Use.
   * Click Start
   * When asked, allow the activex control to be installed.
   * Click Start
   * Check below options:
         o Remove found threats
         o Scan unwanted applications.
   * Click Scan
   * Wait for the scan to finish
   * When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
   * Attach this logfile to your next message, along with the new ComboFix log and new HJT log.  Note: You may need to post to more than one follow-up, as the logs will be long.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.