Solved: Please review my hijack file!! Again..task manager,regedit has been disabled

Micheal John · 08-Dec-2007, 03:23 PM #1

I am using windows 2000 os in my machine. 10 days back my machine was infected with some malware and my task manager,regedit all are disabled. Even I couldn't open the hijack application to get the log file. So I backed up some important data in 2gb usb drive and formatted the machine entirely and installed all the application newly. Now I have copied some of the backed up files from the usb drive and I have cing the same problem. one new folder is created automatically and my task manager is disabled and I can't able to open the regedit.I am

sending you the hijack log file.please help to remove it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:15 AM, on 12/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\oracle\ora92\bin\omtsreco.exe
D:\oracle\ora92\bin\agntsrvc.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
C:\WINNT\system32\cmd.exe
D:\oracle\ora92\bin\dbsnmp.exe
d:\oracle\ora92\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
C:\Program Files\Common Files\Symantec Shared\Security

Console\NSCSRVCE.EXE
F:\Niyas\All About DTS\All About DTS\All About DTS.exe
F:\Niyas\All About DTS\All About DTS\All About DTS.exe
F:\Niyas\All About DTS\All About DTS\All About DTS.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

about:blank
F2 - REG:system.ini: Shell=Explorer.exe RVHOST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no

file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B}

- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.

exe
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\system32\RVHOST.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program

Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User

'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft

Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,

DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program

Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Edit with XML Spy -

{2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program

Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy -

{2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program

Files\Altova\XMLSPY2004\spy.htm (HKCU)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program

Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -

Symantec Corporation - C:\Program Files\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\Security

Console\NSCSRVCE.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation -

D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation -

D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner -

D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner -

D:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner -

D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner -

D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner -

D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner -

D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDTS - Oracle Corporation -

d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceDTSDB - Oracle Corporation -

d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceORACLE - Oracle Corporation -

d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceSAMPLEDB - Oracle Corporation -

d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation -

D:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe

--
End of file - 7790 bytes

**Cheeseball81** · 08-Dec-2007, 06:34 PM #2

The Hijack This log is hard to read.
Please rescan with Hijack This.
When the log opens in Notepad, go to Format and select Wordwrap.
Then copy and paste the log here.

Micheal John · 09-Dec-2007, 03:57 AM #3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:10 PM, on 12/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\oracle\ora92\bin\omtsreco.exe
D:\oracle\ora92\bin\agntsrvc.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
C:\WINNT\system32\cmd.exe
D:\oracle\ora92\bin\dbsnmp.exe
d:\oracle\ora92\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\RVHOST.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\RVHOST.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe RVHOST.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINNT\system32\RVHOST.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{143D75C4-B6D9-4DCA-BA4F-E0832E493F01}: NameServer = 218.248.240.79 218.248.240.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{143D75C4-B6D9-4DCA-BA4F-E0832E493F01}: NameServer = 218.248.240.79 218.248.240.135
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - D:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDTS - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceDTSDB - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceORACLE - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceSAMPLEDB - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - D:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe

--
End of file - 8029 bytes

**Cheeseball81** · 09-Dec-2007, 02:26 PM #4

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
...

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Micheal John · 09-Dec-2007, 03:02 PM #5

After running combofix I am getting the error pop up message "Registry Editing - Cannot import creg.dat:Error accessing the registry".
But now task manager and registry are enabled!! now my machine is clean. I have the datas in the usb, can i use it now or i have to format it. I have not connected the usb drive yet. I am waiting for your next input!

ComboFix 07-12-09.1 - Ahmed Bros 12/10/2007 0:16:31.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.105 [GMT 5.5:30]
Running from: C:\Documents and Settings\Ahmed Bros\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\rvhost.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-10 00:16 . 12/10/07 12:16a 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_480.dat
2007-12-09 00:14 . 11/29/07 05:33p 275,968 --a------ C:\WINNT\RVHOST.exe
2007-12-08 14:52 . 12/08/07 02:52p 0 --a------ C:\WINNT\nsreg.dat
2007-12-03 23:48 . 10/15/99 12:50p 1,056,768 --a------ C:\WINNT\ROBOEX32.DLL
2007-12-03 23:48 . 01/28/99 03:44p 49,152 --a------ C:\WINNT\INETWH32.dll
2007-12-03 23:48 . 07/20/95 12:00a 26,832 --a------ C:\WINNT\CTL3DV2.DLL
2007-12-03 23:48 . 12/03/07 11:51p 74 --ah----- C:\WINNT\6pxsc.px
2007-12-03 23:47 . 12/03/07 11:52p 3,882 --a------ C:\WINNT\ULEAD32.INI
2007-12-02 16:31 . 12/02/07 04:31p 69 --a------ C:\WINNT\NeroDigital.ini
2007-12-02 13:11 . 07/30/07 07:18p 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2007-12-02 13:11 . 07/30/07 07:19p 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2007-12-02 13:11 . 07/30/07 07:19p 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2007-12-02 13:11 . 07/30/07 07:18p 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2007-12-02 12:56 . 07/30/07 07:19p 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-12-02 12:56 . 07/30/07 07:19p 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-12-02 12:56 . 07/30/07 07:19p 203,096 --a------ C:\WINNT\system32\wuweb.dll
2007-12-02 12:56 . 05/26/05 04:16a 194,328 --a------ C:\WINNT\system32\wuaueng1.dll
2007-12-02 12:56 . 05/26/05 04:16a 172,312 --a------ C:\WINNT\system32\wuauclt1.exe
2007-12-02 12:56 . 07/30/07 07:19p 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-12-02 12:56 . 07/30/07 07:18p 33,624 --a------ C:\WINNT\system32\wups.dll
2007-12-02 00:20 . 12/02/07 12:20a <DIR> d-------- C:\Documents and Settings\Ahmed Bros\Application Data\Symantec
2007-12-02 00:12 . 12/02/07 12:26a <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-02 00:12 . 07/09/06 11:01p 108,168 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2007-12-02 00:12 . 07/09/06 11:01p 87,768 --a------ C:\WINNT\system32\S32EVNT1.DLL
2007-12-02 00:12 . 12/02/07 12:12a 10,344 --a------ C:\WINNT\system32\drivers\symlcbrd.sys
2007-12-02 00:11 . 12/02/07 12:13a <DIR> d-------- C:\Program Files\Symantec
2007-12-02 00:11 . 12/04/07 12:26a <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-02 00:11 . 12/02/07 12:18a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 13:12 . 11/29/07 01:12p <DIR> d-------- C:\WINNT\logs
2007-11-22 10:24 . 11/22/07 10:40a <DIR> d-------- C:\Program Files\Oracle
2007-11-18 15:01 . 11/18/07 03:01p <DIR> d-------- C:\Documents and Settings\Ahmed Bros\.netbeans
2007-11-18 00:52 . 11/18/07 12:52a <DIR> d-------- C:\Documents and Settings\Ahmed Bros\soar
2007-11-18 00:31 . 11/18/07 12:54a 10,423 --a------ C:\WINNT\vpd.properties
2007-11-18 00:07 . 11/18/07 12:08a <DIR> d-------- C:\Program Files\Google
2007-11-13 00:16 . 12/09/07 06:05p 1,199,274 ---h----- C:\WINNT\ShellIconCache
2007-11-12 23:09 . 11/12/07 11:10p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-11-12 23:03 . 11/12/07 11:03p <DIR> d-------- C:\Program Files\IVT Corporation
2007-11-11 19:03 . 11/29/07 01:07p <DIR> d-------- C:\Documents and Settings\Ahmed Bros\Application Data\ACD Systems
2007-11-11 18:50 . 06/13/96 07:48p 722,192 --a------ C:\WINNT\system32\Vb40032.dll
2007-11-11 18:50 . 01/29/01 04:30p 436,224 --a------ C:\WINNT\wweb32.dll
2007-11-11 18:50 . 07/25/95 11:00p 330,752 --a------ C:\WINNT\system32\Comctl32.ocx
2007-11-11 18:50 . 07/26/95 12:00a 129,024 --a------ C:\WINNT\system32\Tabctl32.ocx
2007-11-11 18:19 . 11/12/07 10:57p 3,932,214 --a------ C:\WINNT\Theme Ahmed Bros.bmp
2007-11-11 18:16 . 04/07/97 07:06p 284,160 --a------ C:\WINNT\system32\l3codecp.acm
2007-11-11 18:16 . 07/14/95 12:00a 146,321 --a------ C:\WINNT\system32\plus!.hlp
2007-11-11 18:16 . 06/11/00 09:53p 32,768 --a------ C:\WINNT\system32\dapanel.cpl
2007-11-11 18:16 . 06/01/95 12:00p 1,300 --a------ C:\WINNT\system32\cool.dll
2007-11-11 18:05 . 11/11/07 06:05p 50 --a------ C:\WINNT\Winamp.ini
2007-11-11 18:04 . 11/11/07 06:04p 41 --a------ C:\WINNT\winampa.ini
2007-11-11 17:58 . 12/07/99 07:41a 424,960 --a------ C:\WINNT\system32\msms001.vwp
2007-11-11 17:58 . 12/07/99 07:41a 281,600 --a------ C:\WINNT\system32\mvoice.vwp
2007-11-11 17:58 . 12/07/99 07:41a 278,016 --a------ C:\WINNT\system32\vct3216.dll
2007-11-11 17:58 . 12/07/99 07:41a 82,944 --a------ C:\WINNT\system32\vct3216.acm
2007-11-11 17:58 . 12/07/99 07:41a 69,632 --a------ C:\WINNT\system32\voxmvdec.ax
2007-11-11 17:58 . 12/07/99 07:41a 69,632 --a------ C:\WINNT\system32\voxmsdec.ax
2007-11-11 17:57 . 11/11/07 05:57p <DIR> d-------- C:\Program Files\Adaptec
2007-11-11 17:57 . 08/08/00 12:31p 262,416 --a------ C:\WINNT\system32\wmvds32.ax
2007-11-11 17:57 . 08/08/00 12:31p 262,416 --a------ C:\WINNT\system32\mpg4ds32.ax
2007-11-11 17:57 . 08/07/00 05:10p 221,456 --a------ C:\WINNT\system32\msadds32.ax
2007-11-11 17:57 . 08/08/00 12:31p 69,904 --a------ C:\WINNT\system32\msscds32.ax
2007-11-11 17:57 . 04/10/00 07:10a 52,720 --a------ C:\WINNT\system32\drivers\cdr4_2k.sys
2007-11-11 17:57 . 04/10/00 07:10a 45,056 --a------ C:\WINNT\system32\cdrtc.dll
2007-11-11 17:57 . 04/10/00 07:10a 45,056 --a------ C:\WINNT\system32\cdral.dll
2007-11-11 17:57 . 04/10/00 07:10a 22,585 --a------ C:\WINNT\system32\drivers\cdralw2k.sys
2007-11-11 17:55 . 08/08/00 12:31p 446,736 --a------ C:\WINNT\system32\wmvdmoe.dll
2007-11-11 17:55 . 02/11/00 10:11a 368,710 --a------ C:\WINNT\system32\msisam11.dll
2007-11-11 17:55 . 08/08/00 12:31p 340,240 --a------ C:\WINNT\system32\wmstream.dll
2007-11-11 17:55 . 02/11/00 10:11a 241,725 --a------ C:\WINNT\system32\msuni11.dll
2007-11-11 17:55 . 08/08/00 12:33p 164,112 --a------ C:\WINNT\system32\mindex.dll
2007-11-11 17:55 . 08/08/00 12:31p 119,056 --a------ C:\WINNT\system32\wmsdmoe.dll
2007-11-11 17:55 . 08/08/00 12:32p 89,600 --a------ C:\WINNT\system32\wmidx.ocx
2007-11-11 17:55 . 12/06/99 10:36a 66,048 --a------ C:\WINNT\system32\unam4ie.exe
2007-11-11 17:22 . 06/19/03 12:05p 618,889 --a------ C:\WINNT\system32\instcat.sql
2007-11-11 17:22 . 08/07/00 05:10p 282,896 --a------ C:\WINNT\system32\msaud32.acm
2007-11-11 17:22 . 06/19/03 12:05p 4,296 --a------ C:\WINNT\system32\odbcconf.rsp
2007-11-11 17:13 . 11/11/07 05:13p <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 17:13 . 04/05/99 10:48a 86,016 --a------ C:\WINNT\unvise32.exe
2007-11-11 17:12 . 11/11/07 05:12p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-11-11 17:11 . 11/11/07 05:12p <DIR> d-------- C:\Program Files\ACD Systems
2007-11-11 16:59 . 11/11/07 04:59p 1,762 --a------ C:\WINNT\sql.mif
2007-11-11 16:58 . 07/19/97 05:00p 129,808 --------- C:\WINNT\system32\comdlg32.ocx
2007-11-11 16:57 . 08/06/00 01:51a 192,569 --a------ C:\WINNT\system32\msrpjt40.dll
2007-11-11 16:57 . 08/06/00 01:50a 36,939 --a------ C:\WINNT\system32\insrepim.exe
2007-11-11 16:56 . 07/07/00 12:20p 81,920 --a------ C:\WINNT\system32\mdt2fw95.dll
2007-11-11 16:55 . 08/06/00 01:51a 274,489 --a------ C:\WINNT\system32\ntwdblib.dll
2007-11-11 16:55 . 08/06/00 01:51a 32,830 --a------ C:\WINNT\system32\dbmsshrn.dll
2007-11-11 16:55 . 08/06/00 01:51a 28,734 --a------ C:\WINNT\system32\dbmslpcn.dll
2007-11-11 16:54 . 11/11/07 04:54p <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-11-11 16:12 . 10/29/98 04:45p 306,688 --a------ C:\WINNT\IsUninst.exe
2007-11-11 16:12 . 11/11/07 05:00p 1,416 --a------ C:\WINNT\setup.iss
2007-11-11 15:39 . 11/11/07 03:46p <DIR> d--h----- C:\Program Files\Zero G Registry
2007-11-11 15:39 . 11/11/07 03:39p <DIR> d--h----- C:\Documents and Settings\Ahmed Bros\InstallAnywhere
2007-11-11 14:52 . 11/30/07 02:44p 896 --a------ C:\WINNT\ODBC.INI
2007-11-11 14:50 . 11/11/07 02:50p <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-11 14:44 . 11/11/07 02:48p <DIR> d-------- C:\WINNT\ShellNew
2007-11-11 14:44 . 11/11/07 02:44p <DIR> d-------- C:\Program Files\Common Files\L&H
2007-11-11 14:37 . 11/11/07 02:37p <DIR> d-------- C:\Program Files\Altova
2007-11-11 13:28 . 11/11/07 01:28p <DIR> d-------- C:\Documents and Settings\Ahmed Bros\Application Data\AdobeUM
2007-11-10 17:24 . 12/04/07 12:30a <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-11-10 17:21 . 06/03/05 03:52a 49,265 --a------ C:\WINNT\system32\jpicpl32.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 18:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-30 09:08 --------- d---a-w C:\Program Files\McAfee.com
2007-11-28 19:12 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\U3
2007-11-10 10:59 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\PC Suite
2007-11-09 09:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-09 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-11-09 09:08 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\Nokia
2007-10-28 07:52 --------- d-----w C:\Program Files\DIFX
2007-10-28 07:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-27 23:31 --------- d-----w C:\Program Files\Accessories
2007-10-27 19:00 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\McAfee.com Personal Firewall
2007-10-27 18:59 --------- d-----w C:\Documents and Settings\Default User\Application Data\McAfee.com Personal Firewall
2007-10-27 18:27 --------- d-----w C:\Program Files\ToniArts
2007-10-27 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-27 18:13 --------- d-----w C:\Program Files\Trend Micro
2007-10-27 18:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-27 18:03 558,142 ----a-w C:\WINNT\java\Packages\VTBLZF3T.ZIP
2007-10-27 18:03 271 ---h--w C:\Program Files\desktop.ini
2007-10-27 18:03 21,952 ---h--w C:\Program Files\folder.htt
2007-10-27 18:03 156,441 ----a-w C:\WINNT\java\Packages\89VVDN3P.ZIP
1999-12-06 21:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [11/18/07 12:08a]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/01 10:50a]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/05 03:52a]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/09/06 11:00p]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [07/09/06 11:01p]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 12:05p]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-04 00:33:25]
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S2 OracleOraHome92Agent;OracleOraHome92Agent;D:\oracle\ora92\bin\agntsrvc.exe
S2 OracleServiceDTSDB;OracleServiceDTSDB;d:\oracle\ora92\bin\ORACLE.EXE DTSDB
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINNT\system32\drivers\BTNetFilter.sys
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;D:\oracle\ora92\BIN\O NRSD.EXE
S3 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"D:\oracle\ora92\Apache \Apache\apache.exe" --ntservice
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;D:\ oracle\ora92\BIN\ENCSVC.EXE
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;D:\or acle\ora92\BIN\AGNTSVC.EXE
S3 OracleServiceDTS;OracleServiceDTS;d:\oracle\ora92\bin\ORACLE.EXE DTS
S3 OracleServiceORACLE;OracleServiceORACLE;d:\oracle\ora92\bin\ORACLE.EXE ORACLE
S3 OracleServiceSAMPLEDB;OracleServiceSAMPLEDB;d:\oracle\ora92\bin\ORACLE.EXE SAMPLEDB
S3 Tomcat5;Apache Tomcat;"D:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 18:07:06 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\RVHOST.exe
"2007-12-09 18:07:06 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\RVHOST.exe
"2007-12-01 18:54:04 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - Ahmed Bros.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2007-12-09 12:17:59 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 00:20:18
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 12/10/2007 0:21:07
.
--- E O F ---

HIJACK THIS LOG AFTER GETTING THE COMBOFIX LOG
=================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:49 AM, on 12/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - D:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDTS - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceDTSDB - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceORACLE - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceSAMPLEDB - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - D:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe

--
End of file - 6996 bytes

**Cheeseball81** · 09-Dec-2007, 10:01 PM #6

Download and install AVG Anti-Spyware v7.5

After download, double click on the file to launch the install process.
Choose a language, click "OK" and then click "Next".
Read the "License Agreement" and click "I Agree".
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them.
Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update".
Wait until you see the "Update successful" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer.
Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:

Click on the "Scanner" button and choose the "Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan? ", "Possibly unwanted software", and What to Scan?" leave all the default settings.
Under "Reports" select "Do not automatically generate reports".
Click the "Scan" tab to return to scanning options.
Click "Complete System Scan" to start.
When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period.

Please go HERE to run Panda's ActiveScan

You need to use IE to run this scan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.

Micheal John · 07:46 AM

Actually I have installed the AVG Anti-spyware before iteslf and the trial period is over. and i have uninstalled that anti-spyware. even if i am installing it again. it won't have the full version. can it be a problem? can i able to install it again and do the things what you have suggested?

**Cheeseball81** · 10-Dec-2007, 10:02 PM #8

It should not be an issue reinstalling it again as far as I know.

Micheal John · 11-Dec-2007, 02:36 PM #9

I have attached the log files from AVG Anti-Spyware, Panda Active Scan and the hih\jack this file.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:20:59 AM 12/11/2007

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-823518204-1957994488-1202660629-1000\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
F:\Anees\My Folder\EXE's\horoscope.exe -> Not-A-Virus.BadJoke.Win32.Anywork : Cleaned with backup (quarantined).
:mozilla.10

:\Program Files\MyEclipse\eclipse\plugins\com.genuitec.javascript.debug.mozilla_4.1.0 \XPCOM\mozilla\Firefox\Profiles\default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11

:\Program Files\MyEclipse\eclipse\plugins\com.genuitec.javascript.debug.mozilla_4.1.0 \XPCOM\mozilla\Firefox\Profiles\default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.144:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.145:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.146:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.43:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@standardcharteredbank.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.92:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.93:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@2.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.24:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.153:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.102:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.103:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.104:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.105:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.106:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.107:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.108:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.109:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.154:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.122:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.123:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.110:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.124:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.125:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.126:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.127:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.128:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.129:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@ehg-ittoolbox.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@ehg-oreilly.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.89:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.90:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.91:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
:mozilla.56:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.57:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.13

:\Program Files\MyEclipse\eclipse\plugins\com.genuitec.javascript.debug.mozilla_4.1.0 \XPCOM\mozilla\Firefox\Profiles\default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.8

:\Program Files\MyEclipse\eclipse\plugins\com.genuitec.javascript.debug.mozilla_4.1.0 \XPCOM\mozilla\Firefox\Profiles\default\cookies-1.txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.35:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.74:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.118:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.119:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.120:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.121:C:\Documents and Settings\Ahmed Bros\Application Data\Mozilla\Firefox\Profiles\z6a661qf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Ahmed Bros\Cookies\ahmed bros@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

============================================

Incident Status Location

Adware:adware/netword Not disinfected Windows Registry
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ahmed Bros\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ahmed Bros\Desktop\ComboFix.exe[nircmd.cfexe]
Virus:W32/Sohanat.BD.worm Disinfected C:\qoobox\Quarantine\C\WINNT\system32\RVHOST.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\NirCmd.exe
Virus:W32/Sohanat.BD.worm Disinfected C:\WINNT\RVHOST.exe

=================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:05 AM, on 12/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\Explorer.EXE
D:\oracle\ora92\bin\agntsrvc.exe
D:\oracle\ora92\BIN\TNSLSNR.exe
C:\WINNT\system32\cmd.exe
d:\oracle\ora92\bin\ORACLE.EXE
D:\oracle\ora92\bin\dbsnmp.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - D:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - D:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - D:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - D:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceDTS - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceDTSDB - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceORACLE - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceSAMPLEDB - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - D:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe

--
End of file - 7626 bytes

**Cheeseball81** · 11-Dec-2007, 11:44 PM **#10**

Now if I can trouble you to rerun ComboFix one more time, post the results and then we can proceed with the removal process.

Micheal John · 12-Dec-2007, 11:32 AM **#11**

ComboFix 07-12-09.1 - Ahmed Bros 12/12/2007 20:54:17.2 - NTFSx86
Running from: C:\Documents and Settings\Ahmed Bros\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-12 20:54 . 12/12/07 08:54p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4a4.dat
2007-12-11 21:00 . 12/12/07 12:09a 741,954 ---h----- C:\WINNT\ShellIconCache
2007-12-11 01:38 . 12/11/07 08:03p <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-12-11 01:38 . 12/11/07 02:16a 30,590 --a------ C:\WINNT\system32\pavas.ico
2007-12-11 01:38 . 12/11/07 02:16a 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2007-12-11 01:38 . 12/11/07 02:16a 1,406 --a------ C:\WINNT\system32\Help.ico
2007-12-10 22:01 . 12/10/07 10:01p <DIR> d-------- C:\Documents and Settings\Ahmed Bros\Application Data\Grisoft
2007-12-10 22:00 . 05/30/07 05:40p 10,872 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-12-08 14:52 . 12/08/07 02:52p 0 --a------ C:\WINNT\nsreg.dat
2007-12-03 23:48 . 10/15/99 12:50p 1,056,768 --a------ C:\WINNT\ROBOEX32.DLL
2007-12-03 23:48 . 01/28/99 03:44p 49,152 --a------ C:\WINNT\INETWH32.dll
2007-12-03 23:48 . 07/20/95 12:00a 26,832 --a------ C:\WINNT\CTL3DV2.DLL
2007-12-03 23:48 . 12/03/07 11:51p 74 --ah----- C:\WINNT\6pxsc.px
2007-12-03 23:47 . 12/03/07 11:52p 3,882 --a------ C:\WINNT\ULEAD32.INI
2007-12-02 16:31 . 12/02/07 04:31p 69 --a------ C:\WINNT\NeroDigital.ini
2007-12-02 13:11 . 07/30/07 07:18p 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2007-12-02 13:11 . 07/30/07 07:19p 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2007-12-02 13:11 . 07/30/07 07:19p 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2007-12-02 13:11 . 07/30/07 07:18p 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2007-12-02 12:56 . 07/30/07 07:19p 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-12-02 12:56 . 07/30/07 07:19p 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-12-02 12:56 . 07/30/07 07:19p 203,096 --a------ C:\WINNT\system32\wuweb.dll
2007-12-02 12:56 . 05/26/05 04:16a 194,328 --a------ C:\WINNT\system32\wuaueng1.dll
2007-12-02 12:56 . 05/26/05 04:16a 172,312 --a------ C:\WINNT\system32\wuauclt1.exe
2007-12-02 12:56 . 07/30/07 07:19p 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-12-02 12:56 . 07/30/07 07:18p 33,624 --a------ C:\WINNT\system32\wups.dll
2007-12-02 00:20 . 12/11/07 08:10p <DIR> d-------- C:\Documents and Settings\Ahmed Bros\Application Data\Symantec
2007-12-02 00:12 . 12/11/07 07:15a <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-02 00:12 . 07/09/06 11:01p 108,168 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2007-12-02 00:12 . 07/09/06 11:01p 87,768 --a------ C:\WINNT\system32\S32EVNT1.DLL
2007-12-02 00:12 . 12/02/07 12:12a 10,344 --a------ C:\WINNT\system32\drivers\symlcbrd.sys
2007-12-02 00:11 . 12/11/07 07:30a <DIR> d-------- C:\Program Files\Symantec
2007-12-02 00:11 . 12/11/07 08:03p <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-02 00:11 . 12/11/07 06:28a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 13:12 . 11/29/07 01:12p <DIR> d-------- C:\WINNT\logs
2007-11-22 10:24 . 11/22/07 10:40a <DIR> d-------- C:\Program Files\Oracle
2007-11-18 15:01 . 11/18/07 03:01p <DIR> d-------- C:\Documents and Settings\Ahmed Bros\.netbeans
2007-11-18 00:52 . 11/18/07 12:52a <DIR> d-------- C:\Documents and Settings\Ahmed Bros\soar
2007-11-18 00:31 . 11/18/07 12:54a 10,423 --a------ C:\WINNT\vpd.properties
2007-11-18 00:07 . 12/11/07 08:03p <DIR> d-------- C:\Program Files\Google
2007-11-12 23:09 . 11/12/07 11:10p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-11-12 23:03 . 11/12/07 11:03p <DIR> d-------- C:\Program Files\IVT Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 19:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 18:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-30 09:08 --------- d---a-w C:\Program Files\McAfee.com
2007-11-29 07:37 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\ACD Systems
2007-11-28 19:12 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\U3
2007-11-11 12:27 --------- d-----w C:\Program Files\Adaptec
2007-11-11 11:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 11:42 --------- d-----w C:\Program Files\ACD Systems
2007-11-11 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-11-11 11:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-11-11 10:16 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-11 09:20 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-11 09:14 --------- d-----w C:\Program Files\Common Files\L&H
2007-11-11 09:07 --------- d-----w C:\Program Files\Altova
2007-11-11 07:58 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\AdobeUM
2007-11-10 11:41 --------- d-----w C:\Program Files\Common Files\Java
2007-11-10 11:03 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\DataLayer
2007-11-10 10:59 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\PC Suite
2007-11-10 10:56 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-11-10 10:56 --------- d-----w C:\Program Files\Common Files\Nokia
2007-11-10 09:24 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\CyberLink
2007-11-10 09:01 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-10 08:59 --------- d-----w C:\Program Files\CyberLink
2007-11-10 08:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-11-09 09:45 --------- d-----w C:\Documents and Settings\Default User\Application Data\PC Suite
2007-11-09 09:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-09 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-11-09 09:08 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\Nokia
2007-10-28 07:52 --------- d-----w C:\Program Files\DIFX
2007-10-28 07:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-27 23:31 --------- d-----w C:\Program Files\Accessories
2007-10-27 19:00 --------- d-----w C:\Documents and Settings\Ahmed Bros\Application Data\McAfee.com Personal Firewall
2007-10-27 18:59 --------- d-----w C:\Documents and Settings\Default User\Application Data\McAfee.com Personal Firewall
2007-10-27 18:27 --------- d-----w C:\Program Files\ToniArts
2007-10-27 18:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-27 18:13 --------- d-----w C:\Program Files\Trend Micro
2007-10-27 18:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-27 18:03 558,142 ----a-w C:\WINNT\java\Packages\VTBLZF3T.ZIP
2007-10-27 18:03 271 ---h--w C:\Program Files\desktop.ini
2007-10-27 18:03 21,952 ---h--w C:\Program Files\folder.htt
2007-10-27 18:03 156,441 ----a-w C:\WINNT\java\Packages\89VVDN3P.ZIP
1999-12-06 21:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Mon 12-10-2007_ 0.20.22.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 02:58:54 141,424 ----a-w C:\WINNT\Downloaded Program Files\asinst.dll
+ 2007-03-29 03:50:50 110,592 ----a-w C:\WINNT\system32\ActiveScan\as.dll
+ 2006-10-05 10:45:26 233,472 ----a-w C:\WINNT\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 08:33:18 96,256 ----a-w C:\WINNT\system32\ActiveScan\asmdat.dll
+ 2003-08-01 05:30:16 36,864 ----a-w C:\WINNT\system32\ActiveScan\certdll.dll
+ 2005-05-20 08:12:44 86,016 ----a-w C:\WINNT\system32\ActiveScan\instlsp.dll
+ 2006-02-16 12:50:20 4,608 ----a-w C:\WINNT\system32\ActiveScan\memvfile.dll
+ 2005-10-25 12:38:32 348,160 ----a-w C:\WINNT\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 09:31:02 139,264 ----a-w C:\WINNT\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 07:34:10 45,056 ----a-w C:\WINNT\system32\ActiveScan\pavdr.exe
+ 2006-04-10 05:20:02 159,832 ----a-w C:\WINNT\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 07:35:38 94,208 ----a-w C:\WINNT\system32\ActiveScan\pavinas.dll
+ 2006-02-16 13:05:38 180,224 ----a-w C:\WINNT\system32\ActiveScan\pavoe.dll
+ 2006-10-05 10:45:38 122,880 ----a-w C:\WINNT\system32\ActiveScan\pavpz.dll
+ 2006-06-30 08:43:38 8,704 ----a-w C:\WINNT\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 08:38:42 49,152 ----a-w C:\WINNT\system32\ActiveScan\port32.dll
+ 2006-08-01 07:53:10 69,632 ----a-w C:\WINNT\system32\ActiveScan\pscpu.dll
+ 2006-08-23 07:36:08 1,388,544 ----a-w C:\WINNT\system32\ActiveScan\pskahk.dll
+ 2006-08-17 06:08:14 10,752 ----a-w C:\WINNT\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 06:19:54 61,440 ----a-w C:\WINNT\system32\ActiveScan\pskas.dll
+ 2006-08-18 03:16:18 779,264 ----a-w C:\WINNT\system32\ActiveScan\pskavs.dll
+ 2007-03-26 08:55:34 417,792 ----a-w C:\WINNT\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 05:12:24 90,112 ----a-w C:\WINNT\system32\ActiveScan\pskfss.dll
+ 2006-07-19 05:25:58 208,896 ----a-w C:\WINNT\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 11:27:00 9,728 ----a-w C:\WINNT\system32\ActiveScan\pskmas.dll
+ 2006-05-17 04:20:12 14,336 ----a-w C:\WINNT\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 05:28:12 33,280 ----a-w C:\WINNT\system32\ActiveScan\pskpack.dll
+ 2006-06-30 09:12:36 266,240 ----a-w C:\WINNT\system32\ActiveScan\pskscs.dll
+ 2006-08-17 09:03:14 62,976 ----a-w C:\WINNT\system32\ActiveScan\pskutil.dll
+ 2006-08-08 07:43:10 13,312 ----a-w C:\WINNT\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 03:23:08 69,632 ----a-w C:\WINNT\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 03:19:50 167,936 ----a-w C:\WINNT\system32\ActiveScan\pskvm.dll
+ 2007-04-18 11:46:04 353,840 ----a-w C:\WINNT\system32\ActiveScan\psscan.dll
+ 2007-01-22 09:12:48 35,328 ----a-w C:\WINNT\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 00:42:32 9,488 ----a-w C:\WINNT\system32\ActiveScan\sporder.dll
+ 2006-02-28 11:53:40 69,632 ----a-w C:\WINNT\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 07:09:06 73,728 ----a-w C:\WINNT\system32\asuninst.exe
- 2005-09-09 08:51:51 466,944 ----a-w C:\WINNT\system32\capicom.dll
+ 2006-07-25 12:33:42 466,944 ----a-w C:\WINNT\system32\capicom.dll
+ 2003-03-25 13:23:50 11,776 ----a-w C:\WINNT\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/01 10:50a]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [06/03/05 03:52a]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/09/06 11:00p]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [07/09/06 11:01p]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 12:05p]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-04 00:33:25]
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R2 OracleOraHome92Agent;OracleOraHome92Agent;D:\oracle\ora92\bin\agntsrvc.exe
R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S2 OracleServiceDTSDB;OracleServiceDTSDB;d:\oracle\ora92\bin\ORACLE.EXE DTSDB
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINNT\system32\drivers\BTNetFilter.sys
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;D:\oracle\ora92\BIN\O NRSD.EXE
S3 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"D:\oracle\ora92\Apache \Apache\apache.exe" --ntservice
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;D:\ oracle\ora92\BIN\ENCSVC.EXE
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;D:\or acle\ora92\BIN\AGNTSVC.EXE
S3 OracleServiceDTS;OracleServiceDTS;d:\oracle\ora92\bin\ORACLE.EXE DTS
S3 OracleServiceORACLE;OracleServiceORACLE;d:\oracle\ora92\bin\ORACLE.EXE ORACLE
S3 OracleServiceSAMPLEDB;OracleServiceSAMPLEDB;d:\oracle\ora92\bin\ORACLE.EXE SAMPLEDB
S3 Tomcat5;Apache Tomcat;"D:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5

.
Contents of the 'Scheduled Tasks' folder
"2007-12-11 03:30:04 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\RVHOST.exe
"2007-12-11 03:30:05 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\RVHOST.exe
"2007-12-01 18:54:04 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - Ahmed Bros.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 20:56:37
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 12/12/2007 20:57:54
C:\ComboFix2.txt ... 12/10/07 12:21a
.
--- E O F ---

**Cheeseball81** · 12-Dec-2007, 10:21 PM **#12**

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINNT\RVHOST.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

This folder can also be emptied: C:\qoobox\Quarantine

Micheal John · 13-Dec-2007, 01:20 PM **#13**

I am attaching the log file from Avenger. Whether now pc is cleaned? I have a doubt, I am using a USB drive and I am suspecting the virus may be came from tht USB and I want to format it. Whether I can connect that USB and format it. What will be the next action?

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\puiljynq

*******************

Script file located at: \??\C:\WINNT\system32\iafqkila.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\RVHOST.exe not found!
Deletion of file C:\WINNT\RVHOST.exe failed!

Could not process line:
C:\WINNT\RVHOST.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

**Cheeseball81** · 13-Dec-2007, 09:42 PM **#14**

How is the PC doing

Micheal John · 14-Dec-2007, 02:14 AM **#15**

Now it's seems to be ok and my task manager, regedit are enabled. What are the other precautions I have to take to avoid this in future? I have installed NMorton Antivirus 2006, but still my machine is infected. I will copy some files from other pc and copy it to my pc through usb drive,that only is causing problem. Can i format my usb drive now my connecting it my pc?

Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!