You are here:

Computer Security & Viruses/Rob Perrin - Laptop virus infection follow up

Advertisement

Expert: - 8/11/2008


Question
QUESTION: Hi Brian,
I had to start a new question as it would not let me reply with any more follow ups.
I have now run Combofix and have a new Hijackthis log. Please see below. Thanks for getting back to me so quickly.

ComboFix 08-08-08.08 - Robert 2008-08-09 23:12:19.1 - [color=red][b]FAT32[/b][/color]x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.225 [GMT 1:00]
Running from: C:\Documents and Settings\Robert\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Amanda\Application Data\macromedia\Flash Player\#SharedObjects\9MSYM74N\interclick.com
C:\Documents and Settings\Amanda\Application Data\macromedia\Flash Player\#SharedObjects\9MSYM74N\interclick.com\ud.sol
C:\Documents and Settings\Amanda\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Amanda\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Robert\Application Data\FunWebProducts
C:\Documents and Settings\Robert\Application Data\macromedia\Flash Player\#SharedObjects\WTDU8924\interclick.com
C:\Documents and Settings\Robert\Application Data\macromedia\Flash Player\#SharedObjects\WTDU8924\interclick.com\ud.sol
C:\Documents and Settings\Robert\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Robert\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Robert\err.log
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\drivers\Windg47.sys
C:\WINDOWS\system32\eeyfyfrf.ini
C:\WINDOWS\system32\frfyfyee.dll
C:\WINDOWS\system32\geBuRHBR.dll
C:\WINDOWS\system32\gemqsh.dll
C:\WINDOWS\system32\ipfdenkf.ini
C:\WINDOWS\system32\kfytinvr.ini
C:\WINDOWS\system32\KknTvyay.ini
C:\WINDOWS\system32\KknTvyay.ini2
C:\WINDOWS\system32\lcuwncpm.dll
C:\WINDOWS\system32\lnvbchna.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\plgwqmtp.dll
C:\WINDOWS\system32\RBHRuBeg.ini
C:\WINDOWS\system32\RBHRuBeg.ini2
C:\WINDOWS\system32\uanmptfu.ini
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\yuxvwiio.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDG47
-------\Service_Windg47


(((((((((((((((((((((((((   Files Created from 2008-07-09 to 2008-08-09  )))))))))))))))))))))))))))))))
.

2008-08-09 23:03 . 2008-08-09 23:03   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-09 17:01 . 2008-08-09 17:01   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-08-09 17:01 . 2008-08-09 17:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-08 18:16 . 2008-08-08 18:16   <DIR>   d--hs----   C:\FOUND.005
2008-08-08 00:22 . 2008-08-08 00:22   <DIR>   d--hs----   C:\FOUND.004
2008-08-07 23:42 . 2008-08-07 23:42   <DIR>   d--------   C:\WINDOWS\system32\NtmsData
2008-08-07 23:36 . 2008-08-07 23:36   <DIR>   d--------   C:\Documents and Settings\Robert\Application Data\Malwarebytes
2008-08-07 22:50 . 2008-08-07 22:50   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-07 22:49 . 2008-08-07 22:49   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 22:49 . 2008-08-07 22:49   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-07 22:49 . 2008-07-30 20:07   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-07 22:49 . 2008-07-30 20:07   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 21:02 . 2008-08-07 21:02   <DIR>   d---s----   C:\Documents and Settings\Administrator\UserData
2008-08-05 20:48 . 2008-08-05 20:48   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-05 20:39 . 2008-08-05 20:39   <DIR>   d--------   C:\Program Files\O2
2008-08-05 20:33 . 2008-08-05 20:48   728   --a------   C:\WINDOWS\{4507868A-A9CD-4ECC-BD54-0EAB6EE81D42}_WiseFW.ini
2008-08-04 01:47 . 2008-08-04 01:47   <DIR>   d--hs----   C:\FOUND.003
2008-08-03 21:59 . 2008-08-03 21:59   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\services
2008-08-03 21:58 . 2008-08-03 21:58   <DIR>   d--------   C:\Program Files\Lavasoft
2008-08-03 21:58 . 2008-08-03 21:58   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 21:56 . 2008-08-03 21:56   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 16:19 . 2008-08-03 16:19   <DIR>   d--------   C:\WINDOWS\McAfee.com
2008-08-02 23:31 . 2007-08-14 08:12   5,760   ---------   C:\WINDOWS\system32\15DB.tmp
2008-08-01 21:07 . 2008-08-01 21:07   <DIR>   d--hs----   C:\FOUND.002
2008-08-01 20:50 . 2008-08-01 20:50   <DIR>   d--hs----   C:\FOUND.001
2008-08-01 20:28 . 2005-12-29 13:51   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-08-01 20:28 . 2007-11-21 21:04   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-08-01 20:28 . 2005-12-29 13:51   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\AOL
2008-08-01 20:28 . 2008-08-01 20:28   <DIR>   d--------   C:\Documents and Settings\Administrator
2008-08-01 00:15 . 2008-08-01 00:15   <DIR>   d--hs----   C:\FOUND.000
2008-07-31 22:47 . 2008-07-31 22:47   <DIR>   d--------   C:\Program Files\Sophos
2008-07-28 23:37 . 2008-08-09 18:52   96,645   --a------   C:\WINDOWS\system32\drivers\klin.dat
2008-07-28 23:37 . 2008-08-09 18:52   87,941   --a------   C:\WINDOWS\system32\drivers\klick.dat
2008-07-28 23:35 . 2008-07-28 23:35   <DIR>   d--------   C:\Program Files\Kaspersky Lab
2008-07-28 23:35 . 2008-07-28 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-28 23:34 . 2008-08-09 18:56   32   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-28 23:34 . 2008-08-09 18:56   32   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-28 23:34 . 2008-08-09 18:56   32   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-28 23:34 . 2008-08-09 18:56   32   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-28 23:06 . 2008-07-28 23:06   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-28 23:03 . 2008-07-28 23:03   <DIR>   d--------   C:\Program Files\7-Zip
2008-07-28 22:09 . 2008-07-28 22:09   294   ---hs----   C:\WINDOWS\system32\yromlkni.ini
2008-07-27 23:02 . 2008-07-27 23:02   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-25 23:38 . 2008-07-25 23:38   <DIR>   d--------   C:\Program Files\Guitar Pro 5
2008-07-16 23:21 . 2008-07-16 23:21   <DIR>   d--------   C:\Program Files\AC3Filter
2008-07-16 23:21 . 2008-07-09 09:05   421,888   --a------   C:\WINDOWS\system32\ac3filter.acm
2008-07-16 23:06 . 2008-07-16 23:06   <DIR>   d--------   C:\Program Files\GSpot
2008-07-16 07:49 . 2008-06-11 01:07   129,784   ---------   C:\WINDOWS\system32\pxafs.dll
2008-07-16 07:49 . 2008-06-11 01:07   120,056   ---------   C:\WINDOWS\system32\pxcpyi64.exe
2008-07-16 07:49 . 2008-06-11 01:07   118,520   ---------   C:\WINDOWS\system32\pxinsi64.exe
2008-07-16 07:49 . 2008-06-11 01:07   9,464   ---------   C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-16 07:49 . 2008-06-11 01:07   9,336   ---------   C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-11 23:09 . 2008-07-11 23:09   <DIR>   d--------   C:\Program Files\Handbrake
2008-07-09 19:10 . 2008-07-09 19:10   <DIR>   d--------   C:\Documents and Settings\Robert\Application Data\TomTom
2008-07-09 19:10 . 2008-07-09 19:10   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TomTom
2008-07-09 19:09 . 2008-07-09 19:09   <DIR>   d--------   C:\Program Files\TomTom HOME 2
2008-07-09 19:03 . 2008-07-09 19:03   <DIR>   d--------   C:\Program Files\TomTom HOME
2008-07-09 11:37 . 2008-07-09 11:37   <DIR>   d--------   C:\Documents and Settings\Robert\Application Data\InstallShield
2008-07-09 11:35 . 2008-07-09 11:35   <DIR>   d--------   C:\Program Files\TomTom DesktopSuite

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 21:10   94,920   ----a-w   C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 21:10   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10   53,448   ----a-w   C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 21:09   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09   325,832   ----a-w   C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 21:09   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:09   1,811,656   ----a-w   C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-06 10:01   2,560   ----a-w   C:\WINDOWS\system32\bitcometres.dll
2008-07-06 10:00   ---------   d-----w   C:\Program Files\BitComet
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41   148,992   ----a-w   C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 17:52   161,096   ----a-w   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-15 07:52   ---------   d-----w   C:\Program Files\Common Files\IviSDK
2008-06-15 07:47   ---------   d-----w   C:\Program Files\WinTV
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 20:18   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-12 20:15   ---------   d-----w   C:\Program Files\McAfee.com
2008-06-12 20:15   ---------   d-----w   C:\Program Files\McAfee
2008-06-12 20:15   ---------   d-----w   C:\Program Files\Common Files\McAfee
2008-06-12 20:05   ---------   d-----w   C:\Program Files\Common Files\SupportSoft
2008-06-12 19:26   ---------   d-----w   C:\Program Files\Western Digital Technologies
2008-06-11 00:07   524,288   ----a-w   C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07   3,596,288   ----a-w   C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:04   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:18   12,288   ----a-w   C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-16 10:58   12,632   ----a-w   C:\WINDOWS\system32\lsdelete.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 09:42 202088]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2005-03-04 13:13 32768]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43 688218]
"PCMService"="C:\Program Files\Arcade\PCMService.exe" [2005-03-09 18:59 49152]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2005-03-28 12:30 315392]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-05 09:40 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 12:36 229376]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14 217088]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"O2"="C:\Program Files\O2\bin\sprtcmd.exe" [2008-03-28 22:47 198184]
"SiSPower"="SiSPower.dll" [2005-02-25 19:35 49152 C:\WINDOWS\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-01-04 16:52:52 331776]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2006-11-20 17:00:00 114688]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-10-27 15:25:11 450560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc03.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"mW[־`=v%S8>grl>\=۱"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\O2\\bin\\wificfg.exe"=
"C:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"C:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7520:TCP"= 7520:TCP:BitComet 7520 TCP
"7520:UDP"= 7520:UDP:BitComet 7520 UDP

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 16:43]
S0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
S0 Winhl47;Winhl47;C:\WINDOWS\system32\Drivers\Winhl47.sys []
S0 Winwc03;Winwc03;C:\WINDOWS\system32\Drivers\Winwc03.sys []
S2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
S2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);C:\Program Files\O2\bin\sprtsvc.exe [2007-06-07 16:19]
S3 hcw66xxx;WinTV HVR-900H;C:\WINDOWS\system32\Drivers\hcw66xxx.sys [2008-02-27 23:46]
S3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys [2004-12-15 15:18]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\15DB.tmp [2007-08-14 08:12]
S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-10-01 08:08]
S3 STUSB2Ir;USB 2.0 IrDA Bridge;C:\WINDOWS\system32\DRIVERS\stusb2ir.sys [2004-09-07 18:11]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 18:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\SmartAccess\bcont.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{275C3279-F377-43D4-A530-C738EECA7A89} - C:\WINDOWS\system32\yayvTnkK.dll
HKCU-Run-Polar Sync - (no file)
HKLM-Run-eRecoveryService - C:\Acer\Empowering Technology\eRecovery\Monitor.exe
HKLM-Run-AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
Notify-qoMCuRJB - qoMCuRJB.dll
Notify-yayvTLFX - yayvTLFX.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\vpmzke6q.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 23:17:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\15DB.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-08-09 23:19:25 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-09 22:19:22

Pre-Run: 3,324,379,136 bytes free
Post-Run: 3,647,209,472 bytes free

288   --- E O F ---   2008-08-03 19:14:20

Hijackthis new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:27, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Robert\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5352/mcfscan.cab
O23 - Service: 0250541217787716mcinstcleanup -  - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 9022 bytes




ANSWER: Hi Robert

Much better log.  Open HJT and run a Scan Only.  Place a check mark in the box next to the following items, close all other windows, then click on the Fix Checked button:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O23 - Service: 0250541217787716mcinstcleanup - - (no file)
O24 - Desktop Component 0: Privacy Protection - (no file)

Reboot, and let me know how the computer is running.  Hopefully everything should be back to normal.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
It does seem to be back to normal and I am no longer getting any nasty anti virus pop ups. Thanks for all your help and getting me to this point.
The only fault left is my desktop background. It is white and I have tried changing it but nothing happens. Any ideas.
Thanks for doing this, let me know if you need any positive references.

Answer
Hi Robert

You're welcome, and just positive feedback here on AllExperts is all that I ask in return :-)

For the wallpaper problem, the malware has changed the registry, which you will need to manually reverse.
1. Click Start
2. Click Run
3. Type: regedit
4. Navigate to the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"Wallpaper"=SZ:C:\WINDOWS\desktop.html (yours might be slightly different).
5. Click on the entry once.
6. Push Delete on the keyboard.
7. Click Yes.
8. Close the Registry editor.

You should now be able to change the wallpaper.  If not, let me know so we can try another method.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.