republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security Cleanup > [Virus] Sending Spam

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean ·Site IMs ·VundoFix ·Zlob/Smitfraud ·SCU Helpers
AuthorAll Replies


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5

reply to Superman1234

Re: [Virus] Sending Spam

Go to Start > Settings > Control Panel > Internet Options > Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Download the latest version of Kaspersky Virus Removal Tool
ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool/index.html
- Close all other applications and double-click and run the installer.
- When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
- If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
- In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
- In the Scan window click the Reports button and select Save to file.
- Name the report AVPT.txt, and save it to the Desktop.
- Close AVPTool.
- You will be prompted if you want to uninstall the program; click Yes.
- You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
- Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Please post a new HijackThis log, the requested portion of the log from Kaspersky's Virus Removal Tool, and the ComboFix log from the last set of instructions.

--
Proud ASAP member since 2005
to forum · permalink · 2009-06-01 08:18:12 ·


Superman1234

@verizon.net

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:33 PM, on 6/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Nexon\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Nexon\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 11633 bytes

Kasperky:
Scan
----
Scanned: 898505
Detected: 35
Untreated: 0
Start time: 6/1/2009 1:23:02 PM
Duration: 03:12:43
Finish time: 6/1/2009 4:35:45 PM

Detected
--------
Status Object
------ ------
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.r File: C:\Documents and Settings\ATL\My Documents\LimeWire\Incomplete\T-5745425-great escape (unplugged version).mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.u File: C:\Documents and Settings\ATL\My Documents\LimeWire\Saved\baptism of solitude.mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.n File: C:\Documents and Settings\ATL\My Documents\LimeWire\Saved\great escape boys like girls - greatest hits.mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.r File: C:\Documents and Settings\ATL\My Documents\LimeWire\Saved\little too not over you.mp3
deleted: Trojan program Trojan-Downloader.Win32.Small.akgk File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ED00000.VBN//CryptZ
deleted: virus Email-Worm.Win32.Zhelatin.vl File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\14540001.VBN//CryptZ
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox\Quarantine\C\WINDOWS\system32\rayizanu.exe.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\Qoobox\Quarantine\C\WINDOWS\system32\vakakayu.exe.vir
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065112.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065113.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065118.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065120.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065124.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065132.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065141.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065143.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065146.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065152.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065156.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP146\A0065165.dll
deleted: Trojan program Backdoor.Win32.NewRest.z File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP147\A0069292.sys
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP148\A0071430.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP148\A0071433.exe
deleted: Trojan program Packed.Win32.Krap.n File: C:\WINDOWS\system32\fujayagi.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\WINDOWS\system32\ligenisa.exe
deleted: Trojan program Trojan-Dropper.Win32.Xpiut.hq File: C:\WINDOWS\system32\lonazaki.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\WINDOWS\system32\ludojila.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\WINDOWS\system32\malodoso.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\WINDOWS\system32\nokadeno.exe
deleted: Trojan program Packed.Win32.Krap.n File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075721.dll
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075722.exe
deleted: Trojan program Trojan-Dropper.Win32.Xpiut.hq File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075723.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075724.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075725.exe
deleted: Trojan program Packed.Win32.Krap.q File: C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP150\A0075726.exe

Combofix:
ComboFix 09-05-30.03 - ATL 05/31/2009 19:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.558 [GMT -7:00]
Running from: c:\documents and settings\ATL\Desktop\pppp.exe
Command switches used :: c:\documents and settings\ATL\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

FILE ::
"c:\windows\system32\drivers\19afffad.sys"
"c:\windows\system32\drivers\df90d040.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\19afffad.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_19afffad
-------\Service_df90d040

((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-31 06:38 . 2009-05-31 06:46 -------- d-s---w C:\ComboFix
2009-05-30 18:32 . 2009-05-30 18:32 -------- dc----w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-30 16:51 . 2009-05-30 16:51 -------- d-----w c:\program files\Trend Micro
2009-05-30 16:43 . 2009-05-26 20:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 16:43 . 2009-05-30 16:43 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-30 16:43 . 2009-05-26 20:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 00:47 . 2009-05-22 00:47 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-05-21 10:34 . 2009-05-21 10:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-21 10:34 . 2009-05-21 10:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-05 07:13 . 2009-05-05 07:13 -------- d-----w c:\documents and settings\ATL\Application Data\Malwarebytes
2009-05-05 07:13 . 2009-05-05 07:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 08:05 . 2009-05-03 08:05 45056 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\MapleStory.exe_DB457427E7B9425292170DC5FADE980F.exe
2009-05-03 08:05 . 2009-05-03 08:05 45056 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\MapleStory.exe1_DB457427E7B9425292170DC5FADE980F.exe
2009-05-03 08:05 . 2009-05-03 08:05 10134 ----a-r c:\documents and settings\ATL\Application Data\Microsoft\Installer\{8BF863F9-7739-4DA4-B40A-2AD76D571B82}\ARPPRODUCTICON.exe
2009-05-03 06:34 . 2009-05-03 08:31 -------- d-----w c:\documents and settings\ATL\Local Settings\Application Data\PMB Files
2009-05-03 06:34 . 2009-05-03 06:35 -------- d-----w c:\documents and settings\All Users\Application Data\PMB Files
2009-05-03 06:34 . 2009-05-03 06:34 -------- d-----w c:\program files\Pando Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 02:41 . 2008-08-07 06:35 40 ----a-w c:\windows\system32\profile.dat
2009-06-01 02:17 . 2008-08-09 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-31 06:14 . 2009-03-30 09:42 -------- d-----w c:\documents and settings\ATL\Application Data\PC Tools
2009-05-30 18:52 . 2008-08-07 06:35 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-03 08:34 . 2009-03-30 09:42 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 08:12 . 2009-05-03 08:12 87552 ---ha-w c:\windows\system32\BITA21.tmp
2009-05-03 08:12 . 2009-05-03 08:12 79872 ---ha-w c:\windows\system32\BITA22.tmp
2009-05-03 08:12 . 2009-05-03 08:12 50688 ---ha-w c:\windows\system32\BITA20.tmp
2009-05-02 21:01 . 2008-08-13 01:49 -------- d-----w c:\program files\Warcraft III
2009-05-01 21:04 . 1980-01-01 07:00 212480 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-29 07:28 . 2008-12-31 09:09 -------- d-----w c:\documents and settings\ATL\Application Data\LimeWire
2009-04-14 04:03 . 2009-04-14 04:03 2713 --sh--w c:\windows\system32\barufutu.exe
2009-04-10 22:37 . 2009-04-10 22:37 2713 --sh--w c:\windows\system32\ratijipe.exe
2009-04-09 22:37 . 2009-04-09 22:37 15644 --sha-w c:\windows\system32\pisabupe.dll
2009-04-09 08:36 . 2009-04-09 08:36 2713 --sh--w c:\windows\system32\nopededo.dll
2009-04-09 08:36 . 2009-04-09 08:36 2713 --sh--w c:\windows\system32\limehabe.exe
2009-04-01 05:55 . 2009-04-01 05:55 10866 --sha-w c:\windows\system32\fujayagi.dll
2009-03-23 08:02 . 2009-03-23 08:02 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-20 05:34 . 2008-08-13 01:53 77691 ----a-w c:\windows\War3Unin.dat
2009-03-06 23:45 . 2009-03-30 09:43 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-03-06 06:59 . 2009-03-23 08:05 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 06:59 . 2008-12-26 20:30 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-01 08:42 . 2009-02-01 08:42 50688 --sha-w c:\windows\system32\ligenisa.exe
2009-01-12 21:16 . 2009-01-12 21:16 51200 --sha-w c:\windows\system32\lonazaki.exe
2009-02-02 19:53 . 2009-02-02 19:53 51200 --sha-w c:\windows\system32\ludojila.exe
2009-02-04 04:48 . 2009-02-04 04:48 50688 --sha-w c:\windows\system32\malodoso.exe
2009-02-03 08:12 . 2009-02-03 08:12 50688 --sha-w c:\windows\system32\nokadeno.exe
.

------- Sigcheck -------

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2008-08-26 05:33 502784 B359DE33041BA9ACAB6392745C3F81ED c:\windows\system32\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2009-05-01 21:04 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-01 21:04 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
[-] 2008-08-26 05:33 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-31_06.57.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-01 02:21 . 2009-06-01 02:21 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat
+ 2009-05-22 00:47 . 2009-06-01 02:30 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
- 2009-05-22 00:47 . 2009-05-31 06:47 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-05-31 21:44 . 2009-06-01 02:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009053120090601\index.dat
+ 2008-08-07 06:47 . 2009-06-01 02:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-07 06:47 . 2009-05-31 06:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-07 06:47 . 2009-06-01 02:30 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-08-07 06:47 . 2009-05-31 06:47 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
"aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2005-11-1 581693]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-6 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 20:01 32768 ----a-w c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 21:59 39936 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56823:TCP"= 56823:TCP:Pando Media Booster
"56823:UDP"= 56823:UDP:Pando Media Booster

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/30/2009 2:43 AM 130424]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [8/6/2008 11:19 PM 85760]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [8/6/2008 11:19 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/6/2008 11:42 PM 4442]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 2:44 PM 3328]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [8/18/2005 5:22 PM 124608]
S3 sdAuxService;PC Tools Auxiliary Service;c:\nexon\Spyware Doctor\pctsAuxs.exe --> c:\nexon\Spyware Doctor\pctsAuxs.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-881565578-3357626825-4007795620-1005.job
- c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-11 10:27]

2009-06-01 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-07 08:12]

2008-08-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-08-07 00:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\ATL\Application Data\Mozilla\Firefox\Profiles\qwywtq3l.default\
FF - plugin: c:\documents and settings\ATL\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-05-31 19:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1020)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

- - - - - - - > 'explorer.exe'(5692)
c:\windows\system32\PROCHLP.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-06-01 19:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-01 02:48
ComboFix2.txt 2009-05-31 06:58

Pre-Run: 64,674,787,328 bytes free
Post-Run: 64,641,310,720 bytes free

271 --- E O F --- 2009-03-13 10:02

to forum · permalink · 2009-06-01 17:12:50 ·


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5
1 edit

Not only has Kaspersky's Virus Removal Tool removes several infections, it has shown the apparent source of at least part of your infections - downloading infected files with LimeWire. As I pointed out in my previous post, even if you replace LimeWire with a clean P2P program, that only means that the program is clean, it doesn't mean that the files that you download will be, and you have infected mp3 files that were downloaded with it.

If you uninstalled LimeWire as recommended, then you should also delete the following folder, but first you will need to be sure you have hidden files and folders showing.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

c:\documents and settings\ATL\Application Data\LimeWire

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

If you uninstalled Limewire as recommended, also do this:

Please run Notepad and paste the following text in the Quote box (between the lines) into a new file:

quote:
REGEDIT4

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry. A window will open and quickly close.

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Save the file to your Desktop.
Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad*Do Not Use Wordpad!*(Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

quote:
File::
c:\windows\system32\BITA21.tmp
c:\windows\system32\BITA22.tmp
c:\windows\system32\BITA20.tmp
c:\windows\system32\barufutu.exe
c:\windows\system32\ratijipe.exe
c:\windows\system32\pisabupe.dll
c:\windows\system32\nopededo.dll
c:\windows\system32\limehabe.exe
c:\windows\system32\fujayagi.dll
c:\windows\system32\ligenisa.exe
c:\windows\system32\lonazaki.exe
c:\windows\system32\ludojila.exe
c:\windows\system32\malodoso.exe
c:\windows\system32\nokadeno.exe

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
Save this as CFScript.txt, in the same location as ComboFix.exe



Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.

Please post a new HijackThis log, the log from ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005
to forum · permalink · 2009-06-01 23:20:20 ·
Forums > Broadband Tech > Security > Security Cleanup

Monday, 13-Feb 07:08:28 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online! © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics