Booney36 BHO-KD {Trj} please help me oldman

Viruses and worms
1

Hi oldman,
first of all let me say thanks for any help you give me.
my problem is
file name: C:\WINDOWS\system32\kbdu.dll[UPX]
Malware name: Win32:BHO-KD [trj]

I have read a few others like it and have ran combofix then ran hjt.
here are the logs thanks again for your time.

                                                     Ken  Boone

my combofix log

ComboFix 08-01-20.1 - Booney 2008-01-20 11:52:36.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.234 [GMT -6:00]
Running from: C:\Documents and Settings\Booney\Local Settings\Temporary Internet Files\Content.IE5\OX2BKH2Z\ComboFix[1].exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\Booney\Application Data\WinTouch
C:\Documents and Settings\Booney\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Booney\My Documents\FNTS~1
C:\Documents and Settings\Booney\My Documents\FNTS~1\F?nts
C:\Documents and Settings\LocalService\Desktop\searchus.exe
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\Common Files\rtekex.html
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\ISM
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive8.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule10.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\Temporary
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\b122.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\mrofinu1053.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy_acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\amqpaalb.dll
C:\WINDOWS\system32\brmbqqjt.dll
C:\WINDOWS\system32\cbcfe.ini
C:\WINDOWS\system32\cbcfe.ini2
C:\WINDOWS\system32\ccaafnom.dll
C:\WINDOWS\system32\ccisfrdx.dll
C:\WINDOWS\system32\cqpwnvnn.ini
C:\WINDOWS\system32\ddocvpsw.dll
C:\WINDOWS\system32\deewxhtr.ini
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\dqeejciu.dll
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\jizzvgdn.dat
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\edneiirh.dll
C:\WINDOWS\system32\enfudsfv.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\fcxcigwq.dll
C:\WINDOWS\system32\fieakmkl.dll
C:\WINDOWS\system32\fjjkolci.dll
C:\WINDOWS\system32\ggpcjvcf.dll
C:\WINDOWS\system32\gheqwhlg.ini
C:\WINDOWS\system32\gkpuntpi.ini
C:\WINDOWS\system32\glhwqehg.dll
C:\WINDOWS\system32\gljnpukf.dll
C:\WINDOWS\system32\gqjfrenw.dll
C:\WINDOWS\system32\hcwwokgk.dll
C:\WINDOWS\system32\imfrpqel.dll
C:\WINDOWS\system32\iptnupkg.dll
C:\WINDOWS\system32\jjiejvdj.dll
C:\WINDOWS\system32\jnjhraoe.dll
C:\WINDOWS\system32\jriukfik.dll
C:\WINDOWS\system32\jtatqqge.dll
C:\WINDOWS\system32\kbdu.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\nmeqvrtr.dll
C:\WINDOWS\system32\nnvnwpqc.dll
C:\WINDOWS\system32\ofexmsbd.dll
C:\WINDOWS\system32\oiukxdnw.dll
C:\WINDOWS\system32\puhienht.dll
C:\WINDOWS\system32\qwgicxcf.ini
C:\WINDOWS\system32\rfjufkyj.dll
C:\WINDOWS\system32\rthxweed.dll
C:\WINDOWS\system32\rtrvqemn.ini
C:\WINDOWS\system32\sbmludmy.dll
C:\WINDOWS\system32\sgibjhip.dll
C:\WINDOWS\system32\sgsowsff.dll
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\thneihup.ini
C:\WINDOWS\system32\vfsdufne.ini
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\whtnyjxv.dll
C:\WINDOWS\system32\wintsvsu32.exe
C:\WINDOWS\system32\wjdqdyni.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wnerfjqg.ini
C:\WINDOWS\system32\ymdulmbs.ini
C:\WINDOWS\system32\yrbqkhsy.dll
C:\WINDOWS\troy44.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xxxvideo.exe

2

----- Unknown downloads made by BITS: ----
http://javadl.sun.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BQYPPRRN
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_GENERAL_SOCKET_SERVICE
-------\LEGACY_NETWORK_MONITOR
-------\bqypprrn
-------\General Socket Service

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 11:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 08:23 . 2004-03-09 01:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-01-20 06:12 . 2008-01-20 06:12 d-------- C:\Program Files\Enigma Software Group
2008-01-18 08:05 . 2008-01-18 09:42 54 --a------ C:\WINDOWS\JascCmdFile.INI
2008-01-17 02:31 . 2008-01-17 02:31 d-------- C:\Documents and Settings\Booney\Application Data\Jasc
2008-01-16 23:29 . 2008-01-16 23:29 d–h----- C:\WINDOWS\PIF
2008-01-16 22:32 . 2008-01-16 22:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 22:32 . 2008-01-16 22:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 17:33 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-16 17:33 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-16 17:33 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-16 17:33 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-16 17:33 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-16 17:33 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-16 17:32 . 2008-01-16 17:32 d-------- C:\Program Files\Alwil Software
2008-01-16 17:32 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-16 17:32 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-16 17:32 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-16 04:28 . 2008-01-16 04:28 d-------- C:\WINDOWS\system32\6667706A69726D7
2008-01-16 04:28 . 2007-12-14 06:40 120,832 --a------ C:\WINDOWS\system32\EFF0F9F3F2FBF6F.exe
2008-01-15 08:15 . 2008-01-16 09:30 1,058,374 —hs---- C:\WINDOWS\system32\qysojihx.ini
2008-01-14 07:21 . 2008-01-15 08:09 1,057,996 —hs---- C:\WINDOWS\system32\rmoxaihw.ini
2008-01-12 20:36 . 2008-01-12 20:36 d–hs---- C:\FOUND.008
2008-01-12 13:52 . 2008-01-14 07:15 1,065,518 —hs---- C:\WINDOWS\system32\nekykljl.ini
2008-01-11 17:30 . 2008-01-11 17:30 d-------- C:\Program Files\Dot1XCfg
2008-01-11 03:01 . 2008-01-11 03:01 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2008-01-11 01:49 . 2008-01-12 12:39 1,058,402 —hs---- C:\WINDOWS\system32\ouiqdjag.ini
2008-01-11 01:48 . 2008-01-20 10:44 15,585 --a------ C:\WINDOWS\BM41363cce.xml
2008-01-11 01:47 . 2008-01-20 09:06 22 --a------ C:\WINDOWS\pskt.ini
2008-01-09 16:35 . 2008-01-09 16:35 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-09 16:11 . 2008-01-09 16:11 d-------- C:\Program Files\Internet Explorer Assistant
2008-01-09 16:00 . 2008-01-11 01:46 1,058,135 —hs---- C:\WINDOWS\system32\pnbrprbx.ini
2008-01-09 15:55 . 2008-01-09 15:55 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2008-01-09 15:54 . 2008-01-09 15:54 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-09 15:50 . 2008-01-09 15:50 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2008-01-09 15:41 . 2008-01-09 15:41 d–hs---- C:\FOUND.007
2008-01-09 15:32 . 2008-01-09 15:32 599,080 --a------ C:\autoruns.exe
2008-01-08 10:55 . 2008-01-08 10:55 208,896 --a------ C:\WINDOWS\ss245sd.exe
2008-01-06 11:13 . 2008-01-06 11:13 d–hs---- C:\FOUND.006
2008-01-04 16:19 . 2008-01-05 16:15 1,031,799 —hs---- C:\WINDOWS\system32\xqftatky.ini
2008-01-04 03:10 . 2008-01-04 03:10 d–hs---- C:\FOUND.005
2008-01-01 22:23 . 2008-01-14 12:22 379 --a------ C:\WINDOWS\wininit.ini
2008-01-01 15:43 . 2008-01-01 15:43 d–hs---- C:\FOUND.004
2008-01-01 14:58 . 2008-01-01 14:58 d–hs---- C:\FOUND.003
2007-12-31 16:32 . 2007-12-31 16:32 d–hs---- C:\FOUND.002
2007-12-31 16:13 . 2008-01-04 16:16 1,031,679 —hs---- C:\WINDOWS\system32\wddexfxr.ini
2007-12-31 16:04 . 2007-12-31 16:04 d–hs---- C:\FOUND.001
2007-12-28 11:53 . 2007-12-28 11:53 d-------- C:\Program Files\RcvSystem
2007-12-27 11:48 . 2007-12-29 14:01 908,443 —hs---- C:\WINDOWS\system32\aepsieop.ini
2007-12-25 19:43 . 2007-12-25 19:43 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-25 18:31 . 2007-12-27 11:45 967,839 —hs---- C:\WINDOWS\system32\qysvutff.ini
2007-12-24 17:23 . 2007-12-24 17:23 d-------- C:\Program Files\Windows Defender
2007-12-24 11:14 . 2007-12-25 18:30 943,910 —hs---- C:\WINDOWS\system32\ivyefxyo.ini
2007-12-23 10:34 . 2007-12-24 11:13 1,010,289 —hs---- C:\WINDOWS\system32\pvwkofbm.ini
2007-12-22 05:20 . 2007-12-23 10:30 991,842 —hs---- C:\WINDOWS\system32\tvscouoc.ini
2007-12-21 11:15 . 2007-12-21 11:15 d-------- C:\WINDOWS\zfri
2007-12-21 11:15 . 2007-12-21 11:15 d-------- C:\Program Files\Common Files\zfri
2007-12-20 12:12 . 2007-12-22 05:14 991,515 —hs---- C:\WINDOWS\system32\pksojaqf.ini

.

3

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 22:13 90,112 ----a-w C:\WINDOWS\DUMPd257.tmp
2007-12-17 23:20 --------- d-----w C:\Program Files\Trend Micro
2007-12-17 17:56 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-23 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2005-07-29 22:24 472 --sha-r C:\WINDOWS\UFJPIEJvb25leQ\oILjKHLSvZc5yk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{477840F3-BA52-44D9-8E41-38D61CAA010F}]
C:\WINDOWS\system32\egmulhxk.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{59693FA9-25A3-4D8C-BB03-35658A5D83DA}]
2008-01-01 21:41 274432 --a------ C:\PROGRA~1\INTERN~2\INTERN~1.DLL

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{B1DB8D8E-4EC0-4D58-BE7D-6845034C56B0}]
C:\WINDOWS\system32\efcbc.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{f8e2cb56-1dd1-11b2-a97f-bf2f904a0e7f}]
C:\WINDOWS\ilsvojon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [2007-01-19 12:54 5674352]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 12:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 10:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PCTVOICE”=“pctspk.exe” [2003-04-24 05:15 180224 C:\WINDOWS\system32\pctspk.exe]
“PV92TRAY”=“PV92Tray.exe” [2003-06-17 21:57 130048 C:\WINDOWS\system32\PV92Tray.exe]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-11-11 13:47 7311360]
“nwiz”=“nwiz.exe” [2005-11-11 13:47 1519616 C:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-11-11 13:47 86016]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50 155648]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe” [2004-04-17 12:41 196608]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-06-16 06:03 81920]
“0809120C0B140F141”=“EFF0F9F3F2FBF6F.exe” [2007-12-14 06:40 120832 C:\WINDOWS\system32\EFF0F9F3F2FBF6F.exe]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 07:00 79224]
“RegistryMechanic”=“”

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“MySpaceIM”=“C:\Program Files\MySpace\IM\MySpaceIM.exe” [2007-12-18 19:47 8720384]

C:\Documents and Settings\Booney\Start Menu\Programs\Startup
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-04-30 03:21:40 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccbxy]
efccbxy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxusr]
xxyxusr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\General Socket Service]
@=“Service”

S3 AFW;AFW;C:\DOCUME~1\Booney\LOCALS~1\Temp[u]0[/u]019334e.sys
S3 evga;evga;C:\DOCUME~1\Booney\LOCALS~1\Temp\evga.sys [2008-01-14 22:22]
S3 imhidusb;Immersion’s HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys [2002-12-04 15:59]
S3 SaiNtHid;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys [2003-04-10 11:42]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-20 15:10:26 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 12:02:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-20 12:04:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 18:04:04
.
2008-01-18 11:18:46 — E O F —

4

booneys hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:32 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\EFF0F9F3F2FBF6F.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CInternetExplorerAssistant - {59693FA9-25A3-4D8C-BB03-35658A5D83DA} - C:\PROGRA~1\INTERN~2\INTERN~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B1DB8D8E-4EC0-4D58-BE7D-6845034C56B0} - C:\WINDOWS\system32\efcbc.dll (file missing)
O2 - BHO: (no name) - {f8e2cb56-1dd1-11b2-a97f-bf2f904a0e7f} - C:\WINDOWS\ilsvojon.dll (file missing)
O4 - HKLM..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [0809120C0B140F141] EFF0F9F3F2FBF6F.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘Default user’)
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133550763504
O17 - HKLM\System\CCS\Services\Tcpip..{377694C1-D8CE-4911-9E40-D06E1D96498E}: NameServer = 216.176.95.129,216.176.95.161
O20 - Winlogon Notify: efccbxy - efccbxy.dll (file missing)
O20 - Winlogon Notify: xxyxusr - xxyxusr.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


End of file - 5919 bytes

5

Hi. welcome to the forum.

Do you know what this is? Is it a folder you created?

C:\Program Files\Common Files\zfri

First I’d like you to down load and run this program

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\EFF0F9F3F2FBF6F.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Go to add/remove programs and uninstall the following programs, if present

Rabio
Cool

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dll (file missing)
O2 - BHO: (no name) - {B1DB8D8E-4EC0-4D58-BE7D-6845034C56B0} - C:\WINDOWS\system32\efcbc.dll (file missing)
O2 - BHO: (no name) - {f8e2cb56-1dd1-11b2-a97f-bf2f904a0e7f} - C:\WINDOWS\ilsvojon.dll (file missing)
O20 - Winlogon Notify: efccbxy - efccbxy.dll (file missing)
O20 - Winlogon Notify: xxyxusr - xxyxusr.dll (file missing)

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\qysojihx.ini C:\WINDOWS\system32\rmoxaihw.ini C:\WINDOWS\system32\ouiqdjag.ini C:\WINDOWS\BM41363cce.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\pnbrprbx.ini C:\WINDOWS\system32\jpewocmz.ini C:\WINDOWS\system32\nekykljl.ini C:\WINDOWS\plite731_uninstaller_.bat C:\WINDOWS\ss245sd.exe C:\WINDOWS\system32\xqftatky.ini C:\WINDOWS\system32\wddexfxr.ini C:\WINDOWS\system32\aepsieop.ini C:\WINDOWS\system32\qysvutff.ini C:\WINDOWS\system32\ivyefxyo.ini C:\WINDOWS\system32\pvwkofbm.ini C:\WINDOWS\system32\tvscouoc.ini C:\WINDOWS\system32\pksojaqf.ini C:\WINDOWS\DUMPd257.tmp

Folder::
C:\Documents and Settings\All Users\Application Data\Rabio

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Please do the steps above in the order posted. Thank you.

6

I have no idea what that zfri file is.I did everything above in that order and here are the results.

File EFF0F9F3F2FBF6F.exe received on 01.21.2008 09:29:36 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 5/32 (15.63%)
Loading server information…
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.21.10 2008.01.21 -
AntiVir 7.6.0.48 2008.01.21 -
Authentium 4.93.8 2008.01.21 -
Avast 4.7.1098.0 2008.01.20 -
AVG 7.5.0.516 2008.01.20 -
BitDefender 7.2 2008.01.21 -
CAT-QuickHeal 9.00 2008.01.19 -
ClamAV 0.91.2 2008.01.21 -
DrWeb 4.44.0.09170 2008.01.21 -
eSafe 7.0.15.0 2008.01.16 Suspicious File
eTrust-Vet 31.3.5475 2008.01.21 -
Ewido 4.0 2008.01.20 -
FileAdvisor 1 2008.01.21 -
Fortinet 3.14.0.0 2008.01.21 -
F-Prot 4.4.2.54 2008.01.21 -
F-Secure 6.70.13260.0 2008.01.21 -
Ikarus T3.1.1.20 2008.01.21 Trojan-Spy.Win32.Banbra.z
Kaspersky 7.0.0.125 2008.01.21 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.21 -
NOD32v2 2809 2008.01.21 -
Norman 5.80.02 2008.01.20 -
Panda 9.0.0.4 2008.01.20 Suspicious file
Prevx1 V2 2008.01.21 Heuristic: Suspicious File With Outbound Communications
Rising 20.28.00.00 2008.01.21 -
Sophos 4.24.0 2008.01.21 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.21 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.20 -
Webwasher-Gateway 6.6.2 2008.01.21 Win32.EPO.gen (suspicious)
Additional information
File size: 120832 bytes
MD5: 2a51f6176a685c3205f6ca5d1220d0fe
SHA1: c6cee85fcbc65799fae36d2d1cf64f78cf831034
PEiD: -
packers: Aspack
packers: ASPack, PE_Patch
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=395D6A7E00874A26D86B01B7CA17F300DDE8FD42

7

ComboFix 08-01-20.1 - Booney 2008-01-21 3:02:12.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.263 [GMT -6:00]
Running from: C:\Documents and Settings\Booney\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Booney\Desktop\CFscript.txt

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\BM41363cce.xml
C:\WINDOWS\DUMPd257.tmp
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\pskt.ini
C:\WINDOWS\ss245sd.exe
C:\WINDOWS\system32\aepsieop.ini
C:\WINDOWS\system32\ivyefxyo.ini
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\nekykljl.ini
C:\WINDOWS\system32\ouiqdjag.ini
C:\WINDOWS\system32\pksojaqf.ini
C:\WINDOWS\system32\pnbrprbx.ini
C:\WINDOWS\system32\pvwkofbm.ini
C:\WINDOWS\system32\qysojihx.ini
C:\WINDOWS\system32\qysvutff.ini
C:\WINDOWS\system32\rmoxaihw.ini
C:\WINDOWS\system32\tvscouoc.ini
C:\WINDOWS\system32\wddexfxr.ini
C:\WINDOWS\system32\xqftatky.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\BM41363cce.xml
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\pskt.ini
C:\WINDOWS\ss245sd.exe
C:\WINDOWS\system32\aepsieop.ini
C:\WINDOWS\system32\ivyefxyo.ini
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\nekykljl.ini
C:\WINDOWS\system32\ouiqdjag.ini
C:\WINDOWS\system32\pksojaqf.ini
C:\WINDOWS\system32\pnbrprbx.ini
C:\WINDOWS\system32\pvwkofbm.ini
C:\WINDOWS\system32\qysojihx.ini
C:\WINDOWS\system32\qysvutff.ini
C:\WINDOWS\system32\rmoxaihw.ini
C:\WINDOWS\system32\tvscouoc.ini
C:\WINDOWS\system32\wddexfxr.ini
C:\WINDOWS\system32\xqftatky.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 11:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 08:23 . 2004-03-09 01:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-01-20 06:12 . 2008-01-20 06:12 d-------- C:\Program Files\Enigma Software Group
2008-01-18 08:05 . 2008-01-18 09:42 54 --a------ C:\WINDOWS\JascCmdFile.INI
2008-01-17 02:31 . 2008-01-17 02:31 d-------- C:\Documents and Settings\Booney\Application Data\Jasc
2008-01-16 23:29 . 2008-01-16 23:29 d–h----- C:\WINDOWS\PIF
2008-01-16 22:32 . 2008-01-16 22:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 22:32 . 2008-01-16 22:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 17:33 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-16 17:33 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-16 17:33 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-16 17:33 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-16 17:33 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-16 17:33 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-16 17:32 . 2008-01-16 17:32 d-------- C:\Program Files\Alwil Software
2008-01-16 17:32 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-16 17:32 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-16 17:32 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-16 04:28 . 2008-01-16 04:28 d-------- C:\WINDOWS\system32\6667706A69726D7
2008-01-16 04:28 . 2007-12-14 06:40 120,832 --a------ C:\WINDOWS\system32\EFF0F9F3F2FBF6F.exe
2008-01-12 20:36 . 2008-01-12 20:36 d–hs---- C:\FOUND.008
2008-01-11 17:30 . 2008-01-11 17:30 d-------- C:\Program Files\Dot1XCfg
2008-01-11 03:01 . 2008-01-11 03:01 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2008-01-09 16:35 . 2008-01-09 16:35 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-09 16:11 . 2008-01-09 16:11 d-------- C:\Program Files\Internet Explorer Assistant
2008-01-09 15:41 . 2008-01-09 15:41 d–hs---- C:\FOUND.007
2008-01-09 15:32 . 2008-01-09 15:32 599,080 --a------ C:\autoruns.exe
2008-01-06 11:13 . 2008-01-06 11:13 d–hs---- C:\FOUND.006
2008-01-04 03:10 . 2008-01-04 03:10 d–hs---- C:\FOUND.005
2008-01-01 22:23 . 2008-01-14 12:22 379 --a------ C:\WINDOWS\wininit.ini
2008-01-01 15:43 . 2008-01-01 15:43 d–hs---- C:\FOUND.004
2008-01-01 14:58 . 2008-01-01 14:58 d–hs---- C:\FOUND.003
2007-12-31 16:32 . 2007-12-31 16:32 d–hs---- C:\FOUND.002
2007-12-31 16:04 . 2007-12-31 16:04 d–hs---- C:\FOUND.001
2007-12-28 11:53 . 2007-12-28 11:53 d-------- C:\Program Files\RcvSystem
2007-12-25 19:43 . 2007-12-25 19:43 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 17:23 . 2007-12-24 17:23 d-------- C:\Program Files\Windows Defender
2007-12-21 11:15 . 2007-12-21 11:15 d-------- C:\WINDOWS\zfri
2007-12-21 11:15 . 2007-12-21 11:15 d-------- C:\Program Files\Common Files\zfri

8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 23:20 --------- d-----w C:\Program Files\Trend Micro
2007-12-17 17:56 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-23 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2005-07-29 22:24 472 --sha-r C:\WINDOWS\UFJPIEJvb25leQ\oILjKHLSvZc5yk.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_12.03.38.10 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-20 17:52:04 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT
  • 2008-01-21 09:01:48 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000001\NTUSER.DAT
  • 2008-01-20 17:52:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat
  • 2008-01-21 09:01:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000002\UsrClass.dat
  • 2008-01-20 17:52:06 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT
  • 2008-01-21 09:01:48 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000003\NTUSER.DAT
  • 2008-01-20 17:52:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat
  • 2008-01-21 09:01:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000004\UsrClass.dat
  • 2008-01-20 17:52:08 7,921,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT
  • 2008-01-21 09:01:50 7,921,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000005\NTUSER.DAT
  • 2008-01-20 17:52:08 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
  • 2008-01-21 09:01:52 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users[u]0[/u]0000006\UsrClass.dat
  • 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
  • 2008-01-21 07:14:24 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_64c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{59693FA9-25A3-4D8C-BB03-35658A5D83DA}]
2008-01-01 21:41 274432 --a------ C:\PROGRA~1\INTERN~2\INTERN~1.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [2007-01-19 12:54 5674352]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 12:00 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 10:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PCTVOICE”=“pctspk.exe” [2003-04-24 05:15 180224 C:\WINDOWS\system32\pctspk.exe]
“PV92TRAY”=“PV92Tray.exe” [2003-06-17 21:57 130048 C:\WINDOWS\system32\PV92Tray.exe]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-11-11 13:47 7311360]
“nwiz”=“nwiz.exe” [2005-11-11 13:47 1519616 C:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2005-11-11 13:47 86016]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50 155648]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe” [2004-04-17 12:41 196608]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-06-16 06:03 81920]
“0809120C0B140F141”=“EFF0F9F3F2FBF6F.exe” [2007-12-14 06:40 120832 C:\WINDOWS\system32\EFF0F9F3F2FBF6F.exe]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 07:00 79224]
“RegistryMechanic”=“”

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“MySpaceIM”=“C:\Program Files\MySpace\IM\MySpaceIM.exe” [2007-12-18 19:47 8720384]

C:\Documents and Settings\Booney\Start Menu\Programs\Startup
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-04-30 03:21:40 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\General Socket Service]
@=“Service”

S3 AFW;AFW;C:\DOCUME~1\Booney\LOCALS~1\Temp[u]0[/u]019334e.sys
S3 evga;evga;C:\DOCUME~1\Booney\LOCALS~1\Temp\evga.sys
S3 imhidusb;Immersion’s HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys [2002-12-04 15:59]
S3 SaiNtHid;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys [2003-04-10 11:42]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-21 07:17:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 03:04:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-21 3:05:15
ComboFix-quarantined-files.txt 2008-01-21 09:05:12
ComboFix2.txt 2008-01-20 18:04:10
.
2008-01-18 11:18:46 — E O F —

9

Looks better. I need a new hijackthis log too.

How is everything now?

Make and run these batch files and we’ll have a peek in those folders.

Open a new notepad and copy and paste the following into it

@echo off
dir “C:\WINDOWS\zfri” >> look.txt
start look.txt

Click file, save as. Set save it to desktop, name it look.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post.

Open a new notepad and copy and paste the following into it

@echo off
dir “C:\Program Files\Common Files\zfri” >> look1.txt
start look1.txt

Click file, save as. Set save it to desktop, name it look1.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

10

Everything looks great now! ;D you and avast are the best.
ok heres the logs

11

How is everything going, just a bit more to do.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\UFJPIEJvb25leQ\oILjKHLSvZc5yk.vbs

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\everybodybets.32x32.4.ico

This will start ComboFix again.Close all browser/windows first.

Another strange folder. Funny how these things stand out once the rest is gone. You can delete the other .bat files I had you make before.

Open a new notepad and copy and paste the following into it

@echo off
dir “C:\WINDOWS\system32\6667706A69726D7” >> look2.txt
start look2.txt

Click file, save as. Set save it to desktop, name it look2.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

I don’t know what to make of the contents of the folders you checked earlier. The extention for the files is .loc All I could find is “locked” or “location”.

Not anything out there either about C:\WINDOWS\system32\EFF0F9F3F2FBF6F.exe I’ll see if anyone has come across these before. Why it would be running at startup, I’m not sure.

12

BTW has anyone been using a GPS and saving location data? That might be the .loc files.