Jump to content

Recommended Posts

Good day. That is my first attempt to write into forum. Never before I was in need of doing it. The situation with my home PC looks ugly. I cannot access Malwarebytes web-site from home PC, it looks blocked. Cannot run mbam.exe on my home PC from the shortcut, it simply does not go anywere. Cannot restore to the previous CheckPoint on PC's System Restore screen: after pressing the final "next" button there no response. IE browser sometimes performs weird and opens some bicycle store site insted of requested page.

HijackThis Log looks normal. The only strange thing is in root directory. There are number of unvisible files and directories. There is the printout from CMD screen. To me it loos bad. Please see below. Please help. Yuri.

C:\>dir C:\ /A

Volume in drive C has no label.

Volume Serial Number is 3071-8670

Directory of C:\

14/11/2006 11:21 PM <DIR> 2a7af7f2b4a278cb78f753

31/08/2001 11:50 AM 0 AUTOEXEC.BAT

25/03/2009 09:56 PM 337 autorun.inf

22/02/2009 07:17 PM 211 BOOT.INI

31/08/2001 11:29 AM 512 BOOTSECT.DOS

29/11/2006 11:46 PM 5,140 CLDMA.LOG

25/03/2009 02:37 PM <DIR> Config.Msi

31/08/2001 11:50 AM 0 CONFIG.SYS

27/01/2008 05:28 PM <DIR> DELL

22/07/2002 08:19 AM 3,745 DELL.SDR

22/09/2008 09:18 PM <DIR> Documents and Settings

25/03/2009 03:09 PM <DIR> downloads

22/07/2002 07:55 AM <DIR> DRIVERS

12/01/2007 12:13 AM <DIR> FormOver

16/03/2008 11:21 PM <DIR> I386

07/12/2007 01:02 PM 0 IO.SYS

08/08/2008 03:41 PM <DIR> lotus

07/12/2007 01:02 PM 0 MSDOS.SYS

31/10/2007 08:59 PM <DIR> MSOCache

26/08/2005 10:56 PM 47,564 NTDETECT.COM

28/05/2008 11:30 PM 250,048 NTLDR

25/03/2009 10:26 PM 402,653,184 pagefile.sys

25/03/2009 10:36 PM <DIR> Program Files

25/03/2009 05:50 PM <DIR> RECYCLER

26/08/2005 11:14 PM <DIR> System Volume Information

24/03/2009 10:19 PM <DIR> TEMP

21/01/2009 11:49 AM <DIR> unzipped

11/03/2009 07:09 AM <DIR> WINDOWS

15/08/2008 01:16 PM 8,512 _NavCClt.Log

13 File(s) 402,969,253 bytes

16 Dir(s) 2,059,268,096 bytes free

C:\>type autorun.inf

[autorun]

;gdbxefidmyxrzntyqdmqmsxufumlbvothfkncfii

shellexecute="RECYCLER\S-6-5-19-100028534-100000791-100024502-2240.com c:\"

;yqymxmdqimkbxbtyaiz

shell\Open\command="RECYCLER\S-6-5-19-100028534-100000791-100024502-2240.com c:\

"

;sjdkzvweyzuusdyrzenjtbhmextbekuhybveplumguhwlkwiubjqyjyqsznrzcyydsrahjqlobzxysc

yerknuw

shell=Open

C:\>

=============

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\>cd RECYCLER

C:\RECYCLER>DIR

Volume in drive C has no label.

Volume Serial Number is 3071-8670

Directory of C:\RECYCLER

File Not Found

C:\RECYCLER>DIR /A

Volume in drive C has no label.

Volume Serial Number is 3071-8670

Directory of C:\RECYCLER

25/03/2009 05:50 PM <DIR> .

25/03/2009 05:50 PM <DIR> ..

24/03/2009 11:51 PM <DIR> S-1-5-21-2745678790-3757435101-538525854-1006

25/03/2009 09:51 PM <DIR> S-1-5-21-2745678790-3757435101-538525854-1009

25/03/2009 10:24 PM <DIR> S-1-5-21-2745678790-3757435101-538525854-500

24/03/2009 07:11 PM 83,456 S-6-5-19-100028534-100000791-100024502-2240.com

1 File(s) 83,456 bytes

5 Dir(s) 2,052,800,512 bytes free

C:\RECYCLER>

Directory of C:\RECYCLER

25/03/2009 05:50 PM <DIR> .

25/03/2009 05:50 PM <DIR> ..

24/03/2009 11:51 PM <DIR> S-1-5-21-2745678790-3757435101-538525854-

1006

25/03/2009 09:51 PM <DIR> S-1-5-21-2745678790-3757435101-538525854-

1009

25/03/2009 10:24 PM <DIR> S-1-5-21-2745678790-3757435101-538525854-

500

24/03/2009 07:11 PM 83,456 S-6-5-19-100028534-100000791-100024502-22

40.com

1 File(s) 83,456 bytes

5 Dir(s) 2,052,800,512 bytes free

Link to post
Share on other sites

Download and Run HijackThis

Download HJTInstall.exe to your Desktop.

* Doubleclick HJTInstall.exe to install it.

* By default it will install to C:\Program Files\Trend Micro\HijackThis .

* Click on Install.

* It will create a HijackThis icon on the desktop.

* Once installed, it will launch Hijackthis.

* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.

* Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.

Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

please post new HJT log

Link to post
Share on other sites

Download and Run HijackThis

Download HJTInstall.exe to your Desktop.

* Doubleclick HJTInstall.exe to install it.

* By default it will install to C:\Program Files\Trend Micro\HijackThis .

* Click on Install.

* It will create a HijackThis icon on the desktop.

* Once installed, it will launch Hijackthis.

* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.

* Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.

Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

please post new HJT log

Please find the Log

=============

Logfile of HijackThis v1.99.1

Scan saved at 3:03:23 PM, on 26/03/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\program files\mi6\i.ua checker\iua_checker.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Documents and Settings\Yuri Naumtchik\My Documents\Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [i.UA Checker] c:\program files\mi6\i.ua checker\iua_checker.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{D870FE3C-9044-428E-9377-5C36BB33FB17}: NameServer = 85.255.112.11

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Update Service (gupdate1c9a76a5b4470d6) (gupdate1c9a76a5b4470d6) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe (file missing)

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

Link to post
Share on other sites

welcome to malwarebytes forum

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:

  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.

If you can do these things, everything should go smoothly.

  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Installed Programs

Please could you give me a list of the programs that are installed.

  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.

Click on save list button and specify where you would like to save this file.

When you press Save button a notepad will open with the contents of that file.

Simply copy and paste the contents of that notepad into your next post.

Your version of HJT is out dated did you get it from the link I provided?

I'm presently looking over your log and hope not to be too long.

Will be back with you as soon as I can.

Thanks dan

Link to post
Share on other sites

Hello Dan,

I have prepared an information, you requested.

Unfortunately I cannot access the fofrum's site from my PC. Iti is blocked by the malware. HijackThis 2.0.2 installed and all listing repeated. Thanks for good link.

About my PC. It has two accounts, both have administrator priviliges. When in SafeMode there are three: one more account called Administrator.elow

Down below the detail information about condition on my PC. Now I solemnly relay on your help. There is no rush as it is already too late today.

Thanks, Yuri.

................................................................................

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:18:48 PM, on 26/03/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Orbitdownloader\orbitdm.exe

C:\Program Files\Orbitdownloader\orbitnet.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe

O8 - Extra context menu item: &

Link to post
Share on other sites

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Link to post
Share on other sites

Will this program do any real work or only produce a report?
This is a powerful tool, only to be used with instruction, it will deal with what I want it to deal with and also produce a log.

If for some reason it doesn't run get back to me.

Dan :D

Link to post
Share on other sites

Thanks Dan.

All you have requested are done. Now I can access this forum from my own machine.

Below are two logs. Plelase review and let me know if it is OK.

Yuri.

=============================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:24:55 PM, on 27/03/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Orbitdownloader\orbitdm.exe

C:\Program Files\Orbitdownloader\orbitnet.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe

O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Update Service (gupdate1c9a76a5b4470d6) (gupdate1c9a76a5b4470d6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe (file missing)

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

--

End of file - 6055 bytes

======================================

ComboFix 09-03-26.03 - Yuri Naumtchik 2009-03-27 21:05:14.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1251.380.1033.18.767.445 [GMT -4:00]

Running from: c:\documents and settings\Yuri Naumtchik\Desktop\Combo-Fix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

c:\documents and settings\Oksana\Application Data\inst.exe

c:\recycler\S-5-8-88-100005031-100029457-100006259-9978.com

c:\windows\IE4 Error Log.txt

c:\windows\system32\drivers\gaopdxdaaobwinjrfomyvqvdquebwvhpukqlbv.sys

c:\windows\system32\drivers\gaopdxeyqbargftiltkkdajbwuwmixmocdovtp.sys

c:\windows\system32\drivers\gaopdxkeckjmmeyddssilrxfrusverpjcforoc.sys

c:\windows\system32\drivers\gaopdxlvndayorpawqcmxwilmcjadxretkmtvp.sys

c:\windows\system32\drivers\gaopdxxxtqrqjgejgubyboetjxbrkdskmaejbq.sys

c:\windows\system32\gaopdxcounter

c:\windows\system32\gaopdxvybrrovaemnawaorxwsfewwklucxvfvc.dll

c:\windows\system32\kr_done1

c:\windows\system32\lodbc09.dll

c:\windows\system32\pthreadGC2.dll

c:\windows\winhelp.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gaopdxserv.sys

-------\Legacy_SVCPROC

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))

.

2009-03-26 21:18 . 2009-03-26 21:18 <DIR> d-------- c:\program files\Trend Micro

2009-03-26 14:47 . 2009-03-26 14:47 <DIR> d-------- c:\program files\Common Files\Adobe

2009-03-26 14:32 . 2009-03-26 14:32 <DIR> d-------- c:\program files\Common Files\Java

2009-03-26 14:32 . 2007-05-16 11:12 510,976 --a------ c:\windows\SYSTEM32\DLLCACHE\wab32.dll

2009-03-26 14:32 . 2004-08-04 06:00 249,856 --a------ c:\windows\SYSTEM32\DLLCACHE\wab32res.dll

2009-03-26 14:32 . 2007-05-16 11:12 86,528 --a------ c:\windows\SYSTEM32\DLLCACHE\directdb.dll

2009-03-26 14:31 . 2009-03-26 14:31 <DIR> d-------- c:\program files\Common Files\Skype

2009-03-26 14:19 . 2009-03-26 14:19 <DIR> d-------- c:\program files\Common Files\InstallShield

2009-03-26 11:34 . 2009-03-26 11:39 <DIR> d-------- c:\program files\Unlocker

2009-03-24 23:45 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-03-24 23:45 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-03-23 22:05 . 2009-03-23 22:05 <DIR> d-------- c:\documents and settings\Oksana\Application Data\Babylon

2009-03-23 22:05 . 2009-03-23 22:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Babylon

2009-03-23 16:26 . 2009-03-23 16:26 <DIR> d-------- c:\documents and settings\Oksana\Application Data\Intuit Canada

2009-03-17 21:35 . 2009-03-17 21:40 <DIR> d-------- c:\program files\Google

2009-03-17 21:35 . 2009-03-27 08:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

2009-03-06 00:15 . 2009-03-06 00:16 <DIR> d-------- c:\program files\K-Lite Codec Pack

2009-03-06 00:15 . 2008-11-06 12:37 3,596,288 --a------ c:\windows\SYSTEM32\qt-dx331.dll

2009-03-06 00:15 . 2008-09-24 14:41 839,680 --a------ c:\windows\SYSTEM32\lameACM.acm

2009-03-06 00:15 . 2008-12-07 14:08 795,648 --a------ c:\windows\SYSTEM32\xvidcore.dll

2009-03-06 00:15 . 2008-11-06 12:33 684,032 --a------ c:\windows\SYSTEM32\divx.dll

2009-03-06 00:15 . 2004-01-25 12:18 217,088 --a------ c:\windows\SYSTEM32\yv12vfw.dll

2009-03-06 00:15 . 2008-09-16 15:23 168,448 --a------ c:\windows\SYSTEM32\unrar.dll

2009-03-06 00:15 . 2008-12-07 14:08 130,048 --a------ c:\windows\SYSTEM32\xvidvfw.dll

2009-03-06 00:15 . 2007-09-20 20:52 118,784 --a------ c:\windows\SYSTEM32\ac3acm.acm

2009-03-06 00:15 . 2008-12-10 20:33 86,016 --a------ c:\windows\SYSTEM32\dpl100.dll

2009-03-06 00:15 . 2009-02-09 14:56 67,584 --a------ c:\windows\SYSTEM32\ff_vfw.dll

2009-03-06 00:15 . 2007-07-10 12:10 547 --a------ c:\windows\SYSTEM32\ff_vfw.dll.manifest

2009-03-06 00:15 . 2008-10-03 08:30 414 --a------ c:\windows\SYSTEM32\lame_acm.xml

2009-03-04 14:28 . 2009-03-26 17:59 <DIR> d-------- c:\documents and settings\Oksana\Application Data\skypePM

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-28 01:16 --------- d-----w c:\documents and settings\Yuri Naumtchik\Application Data\Orbit

2009-03-28 01:15 --------- d-----w c:\program files\Symantec AntiVirus

2009-03-27 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan

2009-03-27 02:51 --------- d-----w c:\documents and settings\Oksana\Application Data\Orbit

2009-03-26 22:07 --------- d-----w c:\documents and settings\Oksana\Application Data\Skype

2009-03-26 18:57 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-25 22:04 --------- d-----w c:\program files\eMule

2009-03-25 18:37 --------- d-----w c:\program files\QuickTax 2007

2009-03-21 17:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-03-04 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-03-04 19:00 --------- d-----r c:\program files\Skype

2009-02-22 22:56 --------- d-----w c:\documents and settings\Yuri Naumtchik\Application Data\Nokia

2009-02-20 02:53 --------- d-----w c:\documents and settings\All Users\Application Data\Napster

2009-02-19 01:33 --------- d-----w c:\documents and settings\Oksana\Application Data\Malwarebytes

2009-02-19 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-17 20:05 --------- d-----w c:\program files\Security Task Manager

2009-02-15 19:28 --------- d-----w c:\documents and settings\Yuri Naumtchik\Application Data\Skype

2009-02-15 18:48 --------- d-----w c:\documents and settings\Yuri Naumtchik\Application Data\skypePM

2009-02-12 16:34 --------- d-----w c:\program files\DVD Photo Slideshow Professional

2009-02-12 16:34 --------- d-----w c:\documents and settings\All Users\Application Data\Socusoft

2009-02-11 23:00 --------- d-----w c:\program files\Flash Slideshow Maker Professional

2008-07-04 21:26 47,360 ----a-w c:\documents and settings\Oksana\Application Data\pcouffin.sys

2007-12-02 17:33 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2007-03-25 03:13 87,608 ----a-w c:\documents and settings\Yuri Naumtchik\Application Data\ezpinst.exe

2007-03-25 03:13 47,360 ----a-w c:\documents and settings\Yuri Naumtchik\Application Data\pcouffin.sys

2006-02-19 17:08 88,552 ----a-w c:\documents and settings\Oksana\Application Data\GDIPFONTCACHEV1.DAT

2004-06-28 16:53 2,926 --sha-w c:\windows\rfdyy.dat

2008-05-29 03:53 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008052820080529\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]

"D-Link AirPlus XtremeG"="c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 1011712]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-08-15 104128]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-06-07 507904]

"nwiz"="nwiz.exe" [2003-10-06 c:\windows\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-01-07 1711304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= dvacm.acm

"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk

backup=c:\windows\pss\Lotus QuickStart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart 97.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart 97.lnk

backup=c:\windows\pss\Lotus SuiteStart 97.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 02:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--------- 2007-10-11 13:06 62760 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

--a------ 2008-12-03 13:47 1205760 c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 06:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]

--a------ 2006-06-07 07:25 507904 c:\windows\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SymWSC"=2 (0x2)

"Norton AntiVirus Server"=2 (0x2)

"iPod Service"=3 (0x3)

"AVG Anti-Spyware Guard"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"AdobeActiveFileMonitor5.0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hasbro Sports\\Grand Prix 3\\GP3.ICD"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\IDM Computer Solutions\\UltraEdit-32\\uedit32.exe"=

"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\eMule\\eMule.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1309:UDP"= 1309:UDP:Windows Media Format SDK (iexplore.exe)

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2008-01-30 13:28:36 41456]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-26 101936]

S2 gupdate1c9a76a5b4470d6;Google Update Service (gupdate1c9a76a5b4470d6);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-17 133104]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [2005-03-22 450400]

S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\SYSTEM32\DRIVERS\pixmcvc.sys [2006-02-28 32000]

S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\SYSTEM32\DRIVERS\pixmcva.sys [2006-02-28 28057]

S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\SYSTEM32\DRIVERS\pixmcvv.sys [2006-02-28 21081]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-06-15 115952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20ca60ca-bd2c-11db-a201-00c0a8817475}]

\Shell\Auto\command - setup.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1fe88d2-df67-11da-a06e-00c0a8817475}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Salvation_Army\mbam-setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\A6582E289187ADB0.job

- c:\progra~1\sitere~1\startbindhide.exe []

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2009-03-28 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 04:42]

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-17 21:39]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

HKCU-Run-EasyLinkAdvisor - c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

HKLM-Run-NWEReboot - (no file)

MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Yuri Naumtchik\Application Data\Mozilla\Firefox\Profiles\dd3yvlfs.default\

FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-27 21:15:55

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2745678790-3757435101-538525854-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE

c:\windows\SYSTEM32\nvsvc32.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\windows\SYSTEM32\rundll32.exe

c:\program files\Orbitdownloader\orbitnet.exe

.

**************************************************************************

.

Completion time: 2009-03-27 21:22:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-28 01:22:10

Pre-Run: 3,528,179,712 bytes free

Post-Run: 10,671,902,720 bytes free

246 --- E O F --- 2009-03-12 23:54:56

Link to post
Share on other sites

Dan, one more thing. The Microsoft Security update requested an installation of security update KB927779. This is done number of times always for the same update. It looks strange. Also question: as checked before the memory stick is also infected. Is there the possibility to clean it safely without a chance to bring the malware back from the stick to the PC? Thanks, Yuri.

Link to post
Share on other sites

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

eMule,Napster

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Submit a File For Analysis

We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti

Copy/paste the the following file path into the window

c:\windows\rfdyy.dat

Click Submit/Send File

Please post back, to let me know the results.

If Jotti is too busy please try Virustotal

Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.

  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
:files c:\windows\Tasks\A6582E289187ADB0.jobc:\progra~1\sitere~1:reg[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20ca60ca-bd2c-11db-a201-00c0a8817475}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1fe88d2-df67-11da-a06e-00c0a8817475}]:Commands[emptytemp][start explorer]
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware

    [*] then click Finish.

    [*]If an update is found, it will download and install the latest version.

    [*]Once the program has loaded, select Perform full scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Post jotti's report

malwarebytes report

kaspersky scan

fresh HJT log

Link to post
Share on other sites

Hello Dan. As per your advice I finished with everything. Kaspersky took all the time and grief with his request to install Java. All of it are finally done. Please see all logs. It looks not everything is completely clean.

Thanks, Yuri.

==================================================

==========================================================

Service load: 0% 100%

File: rfdyy.dat_

Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

MD5: 41adf6e265b3adfb6c3951c1aaef9539

Packers detected: -

Scanner results

Scan taken on 29 Mar 2009 01:50:35 (GMT)

A-Squared Found nothing

AntiVir Found TR/Dldr.Agent.AP.1

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Quick Heal Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

Statistics

Last file scanned at least one scanner reported something about: ldr.exe (MD5: 73bd5078b96f651331eb0b26b99cf840, size: 61440 bytes), detected by:

Scanner Malware name

A-Squared X

AntiVir X

ArcaVir X

Avast X

AVG Antivirus X

BitDefender X

ClamAV X

CPsecure X

Dr.Web

F-Prot Antivirus X

F-Secure Anti-Virus Trojan-Spy.Win32.Zbot.gen

Ikarus X

Kaspersky Anti-Virus Trojan-Spy.Win32.Zbot.gen

NOD32 X

Norman Virus Control X

Panda Antivirus X

Quick Heal X

Sophos Antivirus Mal/EncPk-CZ

VirusBuster X

VBA32 X

================================================================================

========== FILES ==========

c:\windows\Tasks\A6582E289187ADB0.job moved successfully.

File/Folder c:\progra~1\sitere~1 not found.

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20ca60ca-bd2c-11db-a201-00c0a8817475}\\ deleted successfully.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1fe88d2-df67-11da-a06e-00c0a8817475}\\ deleted successfully.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\YURINA~1\LOCALS~1\Temp\~DF2AFA.tmp scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\YURINA~1\LOCALS~1\Temp\~DF2B07.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

FireFox cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03282009_220706

================================================================================

Malwarebytes' Anti-Malware 1.35

Database version: 1912

Windows 5.1.2600 Service Pack 2

28/03/2009 11:34:13 PM

mbam-log-2009-03-28 (23-34-08).txt

Scan type: Full Scan (C:\|)

Objects scanned: 178789

Time elapsed: 1 hour(s), 11 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1499\A0317835.exe (Trojan.Agent) -> No action taken.

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1499\A0317845.exe (Trojan.Agent) -> No action taken.

================================================================================

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Sunday, March 29, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Sunday, March 29, 2009 00:10:03

Records in database: 1982408

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

Scan statistics:

Files scanned: 92851

Threat name: 7

Infected objects: 9

Suspicious objects: 0

Duration of the scan: 03:07:26

File name / Threat name / Threats count

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02D40000.VBN Infected: Trojan.Win32.TDSS.vay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F40000\4FFDECDD.VBN Infected: Packed.Win32.Tdss.c 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F40001\4FFF9D7F.VBN Infected: Packed.Win32.Tdss.c 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A280000.VBN Infected: Trojan.Win32.TDSS.vay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CEC0000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cc 1

C:\Documents and Settings\Oksana\Desktop\CORSAIR\BitAccelerator.exe Infected: not-a-virus:AdTool.Win32.BitAccelerator.m 1

C:\Documents and Settings\Oksana\Desktop\CORSAIR\BitAccelerator.exe Infected: not-a-virus:WebToolbar.Win32.BitAccelerator.o 1

C:\Documents and Settings\Oksana\Desktop\CORSAIR\BitAccelerator.exe Infected: Trojan.Win32.ConnectionServices.aa 1

C:\Documents and Settings\Yuri Naumtchik\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst Infected: Worm.Win32.AutoRun.qzg 1

The selected area was scanned.

================================================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:19:20 AM, on 29/03/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Orbitdownloader\orbitdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Orbitdownloader\orbitnet.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Update Service (gupdate1c9a76a5b4470d6) (gupdate1c9a76a5b4470d6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe (file missing)

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

--

End of file - 6483 bytes

Link to post
Share on other sites

Looking a lot better, how things that end?

Empty the quarantined folder in Norton.

Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.

  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
:filesc:\windows\rfdyy.dat C:\Documents and Settings\Oksana\Desktop\CORSAIR\BitAccelerator.exe :reg[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0]
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

We need to reveal system folders

  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options
  • After the new window appears select the View tab.
  • Place a checkmark in the checkbox labeled Display the contents of system folders
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types
  • Remove the checkmark from the checkbox labeled Hide protected operating system files
  • Press the Apply and then the ok button and shut down my computer
  • Now your computer is configured to show all hidden files.
  • For you and the tools to be able to see appropriate files we need to Show Hidden Files

Can you tell me if you have a lot of mails in...

C:\Documents and Settings\Yuri Naumtchik\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst << This folder, compact and empty recycle bin

post otmoveit report.

Link to post
Share on other sites

Hello Dan. The Quarantined folder in Norton is emptied. Results from OTMoveIt3 are below.

My wife deleted that <<BitAccelerator.exe>> program as there were notes about it this morning. But I have done what you requested anyway to check the registry key or else.

All checkmarks on My Computer were in condition you request them to be. So I have not need to do anything to them.

But still pressed Apply button in that window to apply them to all folders.

There are a lots of data in that file <<mailbox.pst>> , the size of it is 174M.

I may delete a lot of old mail items from my folders where I store them. Some might be of interest for future time. So I do not know what to do. Please advise. I that area I am not a knowledgeable person.

I do not understand what does it mean to "compact this folder".

The resycle bin is empty.

Thanks, Yuri.

========== FILES ==========

c:\windows\rfdyy.dat moved successfully.

File/Folder C:\Documents and Settings\Oksana\Desktop\CORSAIR\BitAccelerator.exe not found.

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0\\ not found.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03292009_180635

Link to post
Share on other sites

Sorry for delay I've been working.

What you need to do is go through your mails to delete those you don't recognize, those with attachments and have a cleanup.

It might be worth scanning with your own Norton to see if it will do an email scan to try and locate the bad infected mails.

Link to post
Share on other sites

Hello Dan. I will try to cleanup my Mail Folders tonight.

This thing is bothering my mind <<Security Update for Windows XP (KB927779)>>, do you have any idea about it.

The Security still (endlessly) asking to do always and only this update.

Thanks, Yuri

:D

Link to post
Share on other sites

Just done Malwarebyte scan.

It does not look good. : :D

=======================

Malwarebytes' Anti-Malware 1.35

Database version: 1918

Windows 5.1.2600 Service Pack 2

30/03/2009 3:03:29 PM

mbam-log-2009-03-30 (15-03-19).txt

Scan type: Full Scan (C:\|)

Objects scanned: 181800

Time elapsed: 1 hour(s), 18 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hello Dan.

I have refreshed, deleted, and separated all my mail in mailbox.pst file by creating additional Outlook Datafile folder.

Deleted lots of attachments.

With repeated Kaspersky scan it looks better.

Please review.

Yuri. :):):)

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Tuesday, March 31, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Tuesday, March 31, 2009 04:29:07

Records in database: 1988770

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

Scan statistics:

Files scanned: 93275

Threat name: 3

Infected objects: 3

Suspicious objects: 0

Duration of the scan: 02:59:21

File name / Threat name / Threats count

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1516\A0319845.exe Infected: not-a-virus:AdTool.Win32.BitAccelerator.m 1

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1516\A0319845.exe Infected: not-a-virus:WebToolbar.Win32.BitAccelerator.o 1

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1516\A0319845.exe Infected: Trojan.Win32.ConnectionServices.aa 1

The selected area was scanned.

================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:00:09 AM, on 31/03/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-2745678790-3757435101-538525854-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Oksana')

O4 - HKUS\S-1-5-21-2745678790-3757435101-538525854-1009\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Oksana')

O4 - HKUS\S-1-5-21-2745678790-3757435101-538525854-1009\..\Run: [i.UA Checker] c:\program files\mi6\i.ua checker\iua_checker.exe (User 'Oksana')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &

Link to post
Share on other sites

There is one more thing to add: :)

=============================

Malwarebytes' Anti-Malware 1.35

Database version: 1924

Windows 5.1.2600 Service Pack 2

31/03/2009 10:38:05 AM

mbam-log-2009-03-31 (10-38-05).txt

Scan type: Full Scan (C:\|)

Objects scanned: 182252

Time elapsed: 55 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.