cmd prompt says 'another program is currently using this file

ihc · Aug 19, 2008

hello guys and gals
my dell lattitude d610,says 'file being used by another program',and java does not open in control panel,they both work in safe mode though.
i did full scans with symantec and webroot spysweeper with no luck.
any help would be much appreciated.
thanks.

here is a hijack this log done in safe mode:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:13 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\DB\svchosts.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\igjflikw.dll",b
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5333 bytes

thanks guys for the promt reply,another thing thats happening is,when i go into any new page on firefox,a window comes up asking if i want to connect via a dial up modem(if that means anything)
here is the hijack log in normal mode:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:50 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\DB\svchosts.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\DB\svchosts.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\igjflikw.dll",b
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6109 bytes

adarsh · Aug 19, 2008

Hi, please scan and post a new HijackThis logfile in normal mode.

Please note that I will not be taking part in the fix, an expert is on the way.

cohen · Aug 19, 2008

What is the file your trying to access???

Also i think your java might be out of date..... might want to update it at www.java.com

Otherwise the log, to me, looks clean, but we need one run in normal mode

ceewi1 · Aug 19, 2008

Your logfile shows signs of Vundo as well as another trojan infection.

I suggest you spend as little time as possible in Safe mode with network support, as your system is exposed to the Internet without any of your protection programs working, potentially allowing these infections to spread further.

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please paste the contents of the Report.txt back on the forum in your next reply

Once done, please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log and the SDFix log.

ihc · Aug 19, 2008

cohen said:
What is the file your trying to access???

Also i think your java might be out of date..... might want to update it at www.java.com

Otherwise the log, to me, looks clean, but we need one run in normal mode

thangs guys for the promt reply
another thing thats happening is,when i go to any new page in firefox,the window to connect to my dial up comes up and asks if i want to connect at which i cancel then it enters the window.
is it ok to update java in safe mode caus i cant open java in normal mode?
here is the hijack log in normal mode:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:50 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\DB\svchosts.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\DB\svchosts.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\igjflikw.dll",b
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6109 bytes

ihc · Aug 19, 2008

cohen said:
What is the file your trying to access???

Also i think your java might be out of date..... might want to update it at www.java.com

Otherwise the log, to me, looks clean, but we need one run in normal mode

thangs guys for the promt reply
another thing thats happening is,when i go to any new page in firefox,the window to connect to my dial up comes up and asks if i want to connect at which i cancel then it enters the window.oh and im trying to acsses cmd prompt through run,thats all.
is it ok to update java in safe mode caus i cant open java in normal mode?
here is the hijack log in normal mode:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:50 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\DB\svchosts.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\DB\svchosts.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\igjflikw.dll",b
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6109 bytes

cohen · Aug 19, 2008

Hello,

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your reply:

Post the combo fix log
Post a Fresh Hijackthis log

Thankyou

ceewi1 · Aug 19, 2008

ihc said:
is it ok to update java in safe mode caus i cant open java in normal mode?

You already have the latest version of Java. There is no need to update.

ihc · Aug 19, 2008

ceewi1 said:
You already have the latest version of Java. There is no need to update.

yay hehe.it seems to be working now since i used sdfix besides for it asking me to connect via dial up everytime i go to a new page.im not sure how to run combofix,cant seem to find it on the site,but here are the logs for sd and hijack
.sdfix:
SDFix: Version 1.218
Run by DB on Tue 08/19/2008 at 02:23 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\CDFix\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\DB\!\WinAntiVirus Pro 2006 v2 0 225 2 Spanish Retail-ZWT.zip - Deleted
C:\Documents and Settings\DB\svchosts.exe - Deleted
C:\Documents and Settings\DB\svchosts.exe - Deleted
C:\DOCUME~1\DB\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\system32\pac.txt - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 14:37:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,71,d9,fe,b0,51,a8,5c,5e,20,33,7f,ea,c3,54,05,05,ba,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1EE046C9-6E5B-2F8F-B887-10F89F7E82BA}]
"iadkcmonkhmamacpnh"=hex:6a,61,67,68,64,6e,69,67,67,6a,6d,6f,6a,6a,62,68,61,6e,69,68,00,..
"habkibnigcmldcfp"=hex:6a,61,67,68,64,6e,69,67,67,6a,6d,6f,6a,6a,62,68,61,6e,69,68,00,..
"abpicgiokmkaibaoceenhpdbchplcnikki"=hex:61,61,00,00
"maajhhoblnfgimjjgdamibnpho"=hex:61,61,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\F-Secure Anti-Virus\\backweb\\4476822\\Program\\fspex.exe"="C:\\Program Files\\F-Secure Anti-Virus\\backweb\\4476822\\Program\\fspex.exe:*:Enabled:F-Secure Anti-Virus 2005"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\DB\\Desktop\\Quake 2\\quake2.exe"="C:\\Documents and Settings\\DB\\Desktop\\Quake 2\\quake2.exe:*:Enabled:quake2"
"C:\\Documents and Settings\\DB\\Desktop\\games\\Quake 2\\quake2.exe"="C:\\Documents and Settings\\DB\\Desktop\\games\\Quake 2\\quake2.exe:*:Enabled:quake2"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"c:\\windows\\system32\\prmrsr.exe"="c:\\windows\\system32\\prmrsr.exe:*:Enabled

rmrsr.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\EpsonNet\\EpsonNet SetupManager\\IMANAGER.exe"="C:\\Program Files\\EpsonNet\\EpsonNet SetupManager\\IMANAGER.exe:*:Enabled:EpsonNet SetupManager"
"C:\\Program Files\\EpsonNet\\EpsonNet Config V1\\EpsonNet Config.exe"="C:\\Program Files\\EpsonNet\\EpsonNet Config V1\\EpsonNet Config.exe:*:Enabled:EpsonNet Config"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files :

File Backups: - C:\CDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 16 Aug 2006 165,232 A..H. --- "C:\Documents and Settings\DB\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"

Finished!
-----------------------------------------------------------------------
-----------------------------------------------------------------------
hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:24 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\igjflikw.dll",b
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6056 bytes
your guys help has been a blessing.
thank you(as soon as i can afford to,i will donate,which will probably be soon)

ihc · Aug 19, 2008

ceewi1 said:
You already have the latest version of Java. There is no need to update.

yay hehe.it seems to be working now since i used sdfix besides for it asking me to connect via dial up everytime i go to a new page
.im not sure how to run combofix,cant seem to find it on the site,is it important still,but here are the logs for sd and hijack
.sdfix:
SDFix: Version 1.218
Run by DB on Tue 08/19/2008 at 02:23 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\CDFix\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\DB\!\WinAntiVirus Pro 2006 v2 0 225 2 Spanish Retail-ZWT.zip - Deleted
C:\Documents and Settings\DB\svchosts.exe - Deleted
C:\Documents and Settings\DB\svchosts.exe - Deleted
C:\DOCUME~1\DB\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\system32\pac.txt - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 14:37:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,71,d9,fe,b0,51,a8,5c,5e,20,33,7f,ea,c3,54,05,05,ba,..

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1EE046C9-6E5B-2F8F-B887-10F89F7E82BA}]
"iadkcmonkhmamacpnh"=hex:6a,61,67,68,64,6e,69,67,67,6a,6d,6f,6a,6a,62,68,61,6e,69,68,00,..
"habkibnigcmldcfp"=hex:6a,61,67,68,64,6e,69,67,67,6a,6d,6f,6a,6a,62,68,61,6e,69,68,00,..
"abpicgiokmkaibaoceenhpdbchplcnikki"=hex:61,61,00,00
"maajhhoblnfgimjjgdamibnpho"=hex:61,61,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\F-Secure Anti-Virus\\backweb\\4476822\\Program\\fspex.exe"="C:\\Program Files\\F-Secure Anti-Virus\\backweb\\4476822\\Program\\fspex.exe:*:Enabled:F-Secure Anti-Virus 2005"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Documents and Settings\\DB\\Desktop\\Quake 2\\quake2.exe"="C:\\Documents and Settings\\DB\\Desktop\\Quake 2\\quake2.exe:*:Enabled:quake2"
"C:\\Documents and Settings\\DB\\Desktop\\games\\Quake 2\\quake2.exe"="C:\\Documents and Settings\\DB\\Desktop\\games\\Quake 2\\quake2.exe:*:Enabled:quake2"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\WINDOWS\\system32\\javaw.exe"="C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"c:\\windows\\system32\\prmrsr.exe"="c:\\windows\\system32\\prmrsr.exe:*:Enabled

rmrsr.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\EpsonNet\\EpsonNet SetupManager\\IMANAGER.exe"="C:\\Program Files\\EpsonNet\\EpsonNet SetupManager\\IMANAGER.exe:*:Enabled:EpsonNet SetupManager"
"C:\\Program Files\\EpsonNet\\EpsonNet Config V1\\EpsonNet Config.exe"="C:\\Program Files\\EpsonNet\\EpsonNet Config V1\\EpsonNet Config.exe:*:Enabled:EpsonNet Config"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files :

File Backups: - C:\CDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 3 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 16 Aug 2006 165,232 A..H. --- "C:\Documents and Settings\DB\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"

Finished!
-----------------------------------------------------------------------
-----------------------------------------------------------------------
hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:24 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\igjflikw.dll",b
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6056 bytes
your guys help has been a blessing.
thank you(as soon as i can afford to,i will donate,which will probably be soon)

cohen · Aug 19, 2008

Still pretty big, can you pls run combo fix.

ceewi1 · Aug 20, 2008

You're welcome, the trojan has been removed but the Vundo infection is still present and needs to be taken care of.

To run ComboFix please do the following:

1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

ihc · Aug 20, 2008

hello again
here are the logs for hijack and combo respectively(i hope its good news)
thanks again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:15 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [BM23974325] "Rundll32.exe" "C:\WINDOWS\system32\tmsgjnea.dll",s
O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\sfwkpklq.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4533 bytes
ComboFix 08-08-18.05 - DB 2008-08-20 13:42:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT 2:00]
Running from: C:\Documents and Settings\DB\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\DB\UserData
C:\Documents and Settings\DB\UserData\index.dat
C:\WINDOWS\BM23974325.txt
C:\WINDOWS\BM23974325.xml
C:\WINDOWS\jestertb.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\gltfavnj.ini
C:\WINDOWS\system32\gtnkovic.ini
C:\WINDOWS\system32\igjflikw.dll
C:\WINDOWS\system32\jnvaftlg.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nflmdpwi.dll
C:\WINDOWS\system32\qlkpkwfs.ini
C:\WINDOWS\system32\sfwkpklq.dll
C:\WINDOWS\system32\tmsgjnea.dll
C:\WINDOWS\system32\urqNGayW.dll
C:\WINDOWS\system32\wkilfjgi.ini
C:\WINDOWS\system32\wvUoNGay.dll
C:\WINDOWS\system32\xkqtngue.exe
C:\WINDOWS\system32\yaGNoUvw.ini
C:\WINDOWS\system32\yaGNoUvw.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-19 14:22 . 2008-08-19 14:22 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-08-19 14:15 . 2008-08-19 14:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-19 14:09 . 2008-08-19 14:09 <DIR> d-------- C:\CDFix
2008-08-19 11:25 . 2008-08-19 11:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 22:17 . 2008-08-18 22:17 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-08-18 12:22 . 2008-08-18 12:22 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-08-15 11:40 . 2008-08-19 14:27 <DIR> d--hs---- C:\Documents and Settings\DB\!
2008-08-15 11:34 . 2008-08-15 11:34 <DIR> d-------- C:\WINDOWS\system32\kBin15
2008-08-15 11:34 . 2008-08-15 11:34 <DIR> d-------- C:\Temp\epr1
2008-08-15 11:34 . 2008-08-15 11:34 <DIR> d-------- C:\Temp
2008-08-11 08:27 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-08-11 08:27 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-11 08:27 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-08-11 08:27 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-08-11 08:27 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-08-11 08:27 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-08-10 11:53 . 2008-08-10 11:53 <DIR> d-------- C:\Documents and Settings\DB\Application Data\NSeries
2008-08-05 11:02 . 2008-08-05 11:02 <DIR> d-------- C:\Program Files\SoftSpot Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 11:54 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-19 11:04 --------- d-----w C:\Documents and Settings\DB\Application Data\LimeWire
2008-08-18 10:22 --------- d-----w C:\Program Files\Nokia
2008-08-18 10:22 --------- d-----w C:\Program Files\Common Files\Nokia
2008-08-18 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-17 11:39 --------- d-----w C:\Program Files\LimeWire
2008-07-17 09:01 --------- d-----w C:\Program Files\Java
2008-07-14 16:06 --------- d-----w C:\Documents and Settings\DB\Application Data\Nokia
2008-07-14 12:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-07-14 11:03 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-14 11:03 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-14 10:55 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-03 13:59 309 ----a-w C:\SETCARDS.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\wvUoNGay

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Command WorkStation 4.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Command WorkStation 4.lnk
backup=C:\WINDOWS\pss\Command WorkStation 4.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2006-08-03 20:02 3871744 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\DB\\Desktop\\games\\Quake 2\\quake2.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\EpsonNet\\EpsonNet SetupManager\\IMANAGER.exe"=
"C:\\Program Files\\EpsonNet\\EpsonNet Config V1\\EpsonNet Config.exe"=

R2 BppPort;BppPort;C:\WINDOWS\system32\drivers\BPP.SYS [2000-10-04 17:35]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 22:26]
S3 TESTCAP;Mobicam, Video Capture Device;C:\WINDOWS\system32\DRIVERS\mobicam.sys [2007-05-08 21:21]
S3 v800bus;Sony Ericsson V800-Vodafone 802SE driver (WDM);C:\WINDOWS\system32\DRIVERS\v800bus.sys [2004-08-09 14:51]
S3 v800mdfl;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\v800mdfl.sys [2004-08-09 14:52]
S3 v800mdm;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\v800mdm.sys [2004-08-09 14:53]
S3 v800mgmt;Sony Ericsson V800-Vodafone 802SE USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\v800mgmt.sys [2004-08-09 14:54]
S3 v800obex;Sony Ericsson V800-Vodafone 802SE USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\v800obex.sys [2004-08-09 14:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40568082-2594-11dd-9eb4-000b7d18708b}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd602d6c-dfb8-11dc-9e45-000b7d18708b}]
\Shell\Auto\command - E:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\A1EA3575918DAAA9.job
- c:\docume~1\db\applic~1\openmess\ExtraRemoteCool.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-mlJBspOh - mlJBspOh.dll
MSConfigStartUp-NBJ - C:\Documents and Settings\DB\Desktop\Copy 2 of Ahead\Nero BackItUp\NBJ.exe
MSConfigStartUp-SP2 Connection Patcher - C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\DB\Application Data\Mozilla\Firefox\Profiles\xd7cs91z.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 14:06:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-20 14:13:45 - machine was rebooted [DB]
ComboFix-quarantined-files.txt 2008-08-20 12:13:41

Pre-Run: 13,351,383,040 bytes free
Post-Run: 13,330,407,424 bytes free

172

ihc · Aug 20, 2008

hello again
here are the logs for hijack and combo respectively(i hope its good news)
thanks again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:15 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [BM23974325] "Rundll32.exe" "C:\WINDOWS\system32\tmsgjnea.dll",s
O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\sfwkpklq.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4533 bytes
ComboFix 08-08-18.05 - DB 2008-08-20 13:42:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT 2:00]
Running from: C:\Documents and Settings\DB\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\DB\UserData
C:\Documents and Settings\DB\UserData\index.dat
C:\WINDOWS\BM23974325.txt
C:\WINDOWS\BM23974325.xml
C:\WINDOWS\jestertb.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\gltfavnj.ini
C:\WINDOWS\system32\gtnkovic.ini
C:\WINDOWS\system32\igjflikw.dll
C:\WINDOWS\system32\jnvaftlg.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nflmdpwi.dll
C:\WINDOWS\system32\qlkpkwfs.ini
C:\WINDOWS\system32\sfwkpklq.dll
C:\WINDOWS\system32\tmsgjnea.dll
C:\WINDOWS\system32\urqNGayW.dll
C:\WINDOWS\system32\wkilfjgi.ini
C:\WINDOWS\system32\wvUoNGay.dll
C:\WINDOWS\system32\xkqtngue.exe
C:\WINDOWS\system32\yaGNoUvw.ini
C:\WINDOWS\system32\yaGNoUvw.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-19 14:22 . 2008-08-19 14:22 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-08-19 14:15 . 2008-08-19 14:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-19 14:09 . 2008-08-19 14:09 <DIR> d-------- C:\CDFix
2008-08-19 11:25 . 2008-08-19 11:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 22:17 . 2008-08-18 22:17 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-08-18 12:22 . 2008-08-18 12:22 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-08-15 11:40 . 2008-08-19 14:27 <DIR> d--hs---- C:\Documents and Settings\DB\!
2008-08-15 11:34 . 2008-08-15 11:34 <DIR> d-------- C:\WINDOWS\system32\kBin15
2008-08-15 11:34 . 2008-08-15 11:34 <DIR> d-------- C:\Temp\epr1
2008-08-15 11:34 . 2008-08-15 11:34 <DIR> d-------- C:\Temp
2008-08-11 08:27 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-08-11 08:27 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-11 08:27 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-08-11 08:27 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-08-11 08:27 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-08-11 08:27 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-08-10 11:53 . 2008-08-10 11:53 <DIR> d-------- C:\Documents and Settings\DB\Application Data\NSeries
2008-08-05 11:02 . 2008-08-05 11:02 <DIR> d-------- C:\Program Files\SoftSpot Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 11:54 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-19 11:04 --------- d-----w C:\Documents and Settings\DB\Application Data\LimeWire
2008-08-18 10:22 --------- d-----w C:\Program Files\Nokia
2008-08-18 10:22 --------- d-----w C:\Program Files\Common Files\Nokia
2008-08-18 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-17 11:39 --------- d-----w C:\Program Files\LimeWire
2008-07-17 09:01 --------- d-----w C:\Program Files\Java
2008-07-14 16:06 --------- d-----w C:\Documents and Settings\DB\Application Data\Nokia
2008-07-14 12:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-07-14 11:03 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-14 11:03 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-14 10:55 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-03 13:59 309 ----a-w C:\SETCARDS.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\wvUoNGay

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Command WorkStation 4.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Command WorkStation 4.lnk
backup=C:\WINDOWS\pss\Command WorkStation 4.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2006-08-03 20:02 3871744 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\DB\\Desktop\\games\\Quake 2\\quake2.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\EpsonNet\\EpsonNet SetupManager\\IMANAGER.exe"=
"C:\\Program Files\\EpsonNet\\EpsonNet Config V1\\EpsonNet Config.exe"=

R2 BppPort;BppPort;C:\WINDOWS\system32\drivers\BPP.SYS [2000-10-04 17:35]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 22:26]
S3 TESTCAP;Mobicam, Video Capture Device;C:\WINDOWS\system32\DRIVERS\mobicam.sys [2007-05-08 21:21]
S3 v800bus;Sony Ericsson V800-Vodafone 802SE driver (WDM);C:\WINDOWS\system32\DRIVERS\v800bus.sys [2004-08-09 14:51]
S3 v800mdfl;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\v800mdfl.sys [2004-08-09 14:52]
S3 v800mdm;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\v800mdm.sys [2004-08-09 14:53]
S3 v800mgmt;Sony Ericsson V800-Vodafone 802SE USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\v800mgmt.sys [2004-08-09 14:54]
S3 v800obex;Sony Ericsson V800-Vodafone 802SE USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\v800obex.sys [2004-08-09 14:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40568082-2594-11dd-9eb4-000b7d18708b}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd602d6c-dfb8-11dc-9e45-000b7d18708b}]
\Shell\Auto\command - E:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\A1EA3575918DAAA9.job
- c:\docume~1\db\applic~1\openmess\ExtraRemoteCool.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-mlJBspOh - mlJBspOh.dll
MSConfigStartUp-NBJ - C:\Documents and Settings\DB\Desktop\Copy 2 of Ahead\Nero BackItUp\NBJ.exe
MSConfigStartUp-SP2 Connection Patcher - C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\DB\Application Data\Mozilla\Firefox\Profiles\xd7cs91z.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 14:06:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-20 14:13:45 - machine was rebooted [DB]
ComboFix-quarantined-files.txt 2008-08-20 12:13:41

Pre-Run: 13,351,383,040 bytes free
Post-Run: 13,330,407,424 bytes free

172

ihc · Aug 21, 2008

hello guys
just an update so far.it took plus minus 24 minutes do run the complete combofix.now when i startup,i get 2 rundll errors popping up saying,'error loading c:\windows\system32\tmsgjnea.dll,and sfwkpklq.dll.and i cant load my nokia pc suit drivers from disc.also i think combo somehow interfered with symantec so i unistalled it.does this make any sense to you.
if you guys need any technical expertise on printers let me know,im a technitian myself.
thanks.any suggestions on a good av programme

ihc · Aug 21, 2008

hi guys,im getting 2 rundll errors saying that,sfwkplq.dll and tmsgjnea.dll modules could not be found, when i startup.i had to uninstall symantec as well and one of my nokia apps did not work so i tryed reinstalling it from disc but it kept givin errors.any ideas
if you guys need any technical printer expertise,im a technitian myself. thanks

ihc · Aug 21, 2008

ceewi1 said:
You're welcome, the trojan has been removed but the Vundo infection is still present and needs to be taken care of.

To run ComboFix please do the following:

1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

hi,im getting 2 rundll errors 'sfwkpklq.dll and tmsgjnea.dll modules not found' when i start up,and i could not load a nokia app from floppy.
if you guys need tech expertise on printers,let me know
thanks

ceewi1 · Aug 21, 2008

The rundll errors are actually a good sign, the system cannot find the infected files in order to run them. We'll get rid of the error messages as well, of course.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

[*]O4 - HKLM\..\Run: [BM23974325] "Rundll32.exe" "C:\WINDOWS\system32\tmsgjnea.dll",s
[*]O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\sfwkpklq.dll",b

Please close all open windows except for HijackThis and choose Fix checked

Your ComboFix log shows evidence of a flash drive infection. Any portable drives you have used in this system are likely infected and may have spread the infection to any other computers they have been used with. Please connect any flash drives before doing the following:

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
C:\WINDOWS\Tasks\A1EA3575918DAAA9.job
E:\ntde1ect.com
E:\bittorrent.exe

Folder::
C:\WINDOWS\system32\kBin15
C:\Temp

DirLook:
C:\Documents and Settings\DB\!

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40568082-2594-11dd-9eb4-000b7d18708b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd602d6c-dfb8-11dc-9e45-000b7d18708b}]

Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In the drop down box labeled Files of type change the type to Text file.
Save the file to your desktop.
Copy and paste that information in your next post.

With regards to an antivirus program, AVG makes an excellent free antivirus client, as do AntiVir or avast!. I suggest you install one immediately, as running without an antivirus program is exposing you to further infection.

Please post

The ComboFix log
The Kaspersky online scanner report
A new HijackThis log
An update on how your system is running now. What error message (if any) do you get when you try to load the Nokia application?

ihc · Aug 21, 2008

ok,will do what you say.i loaded nod32 av and did a scan,it came to a folder in c:docs and sets db which is me and a folder called'!',anyway it took very long scanning that folder and deleted a whole lot of stuff of in there.then i rebooted and i get some app called 'winspywareprotect' coming up which i ended in task manager.
these freakin guys who do these things to our pc's,the world would be better if they focused that energy into helping others.

time to go home to the wife and kid,i will start fresh tommorow
thanks Ceewi

ihc · Aug 22, 2008

ceewi1 said:
The rundll errors are actually a good sign, the system cannot find the infected files in order to run them. We'll get rid of the error messages as well, of course.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

[*]O4 - HKLM\..\Run: [BM23974325] "Rundll32.exe" "C:\WINDOWS\system32\tmsgjnea.dll",s
[*]O4 - HKLM\..\Run: [20a470b9] "rundll32.exe" "C:\WINDOWS\system32\sfwkpklq.dll",b

Please close all open windows except for HijackThis and choose Fix checked

Your ComboFix log shows evidence of a flash drive infection. Any portable drives you have used in this system are likely infected and may have spread the infection to any other computers they have been used with. Please connect any flash drives before doing the following:

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File:: C:\WINDOWS\Tasks\A1EA3575918DAAA9.job E:\ntde1ect.com E:\bittorrent.exe Folder:: C:\WINDOWS\system32\kBin15 C:\Temp DirLook: C:\Documents and Settings\DB\! Registry:: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40568082-2594-11dd-9eb4-000b7d18708b}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd602d6c-dfb8-11dc-9e45-000b7d18708b}]

Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.

After the files have been downloaded on the left side of the page in the Scan section select My Computer.

This will start the program and scan your system.

The scan will take a while, so be patient and let it run.

Once the scan is complete, click on View scan report

Now, click on the Save Report as button.

In the drop down box labeled Files of type change the type to Text file.

Save the file to your desktop.

Copy and paste that information in your next post.

With regards to an antivirus program, AVG makes an excellent free antivirus client, as do AntiVir or avast!. I suggest you install one immediately, as running without an antivirus program is exposing you to further infection.

Please post

The ComboFix log

The Kaspersky online scanner report

A new HijackThis log

An update on how your system is running now. What error message (if any) do you get when you try to load the Nokia application?

ok,ive done what you asked and here are the reports:
kapersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 08:07:20
Records in database: 1123253
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 65353
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:23:43

File name / Threat name / Threats count
C:\Documents and Settings\DB\Desktop\programmes\aircrack-2.41.tgz Infected: not-a-virus

SWTool.Win32.AirCrack.a 1
C:\Documents and Settings\DB\Desktop\programmes\mirc62-1.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\Documents and Settings\DB\Desktop\programmes\Webroot Spy Sweeper\sspsetup1_60786.exe Infected: Backdoor.Win32.Delf.jgi 1
C:\Eset.NOD32.v3.0.669.Antivirus.Business.Ed.rar Infected: Trojan-Downloader.Win32.Zlob.tia 1
C:\Program Files\Webroot\Spy Sweeper\WRSSHP.EXE Infected: Backdoor.Win32.Delf.jgi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\igjflikw.dll.vir Infected: Trojan.Win32.Monder.fzd 1

The selected area was scanned.

-----------------------------------------------------------------------------
combofix:

ComboFix 08-08-18.05 - DB 2008-08-21 20:18:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT 2:00]
Running from: C:\Documents and Settings\DB\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DB\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Tasks\A1EA3575918DAAA9.job
E:\bittorrent.exe
E:\ntde1ect.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080821140604093.log
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080821152108234.log
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080821190421593.log
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe
C:\Documents and Settings\DB\UserData
C:\Documents and Settings\DB\UserData\index.dat
C:\Temp
C:\WINDOWS\jestertb.dll
C:\WINDOWS\system32\kBin15
C:\WINDOWS\Tasks\A1EA3575918DAAA9.job

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 11:05 . 2008-08-21 11:05 <DIR> d-------- C:\Program Files\ESET
2008-08-21 11:05 . 2008-08-21 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-21 10:32 . 2008-07-29 21:19 17,023,863 --a------ C:\Eset.NOD32.v3.0.669.Antivirus.Business.Ed.rar
2008-08-20 18:10 . 2008-08-20 18:10 25 --a------ C:\WINDOWS\CDESP44004800Euro.ini
2008-08-19 14:22 . 2008-08-19 14:22 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-08-19 14:15 . 2008-08-19 14:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-19 14:09 . 2008-08-19 14:09 <DIR> d-------- C:\CDFix
2008-08-19 11:25 . 2008-08-19 11:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 22:17 . 2008-08-18 22:17 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-08-15 11:40 . 2008-08-21 12:59 <DIR> d--hs---- C:\Documents and Settings\DB\!
2008-08-11 08:27 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-08-11 08:27 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-11 08:27 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-08-11 08:27 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-08-11 08:27 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-08-11 08:27 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-08-05 11:02 . 2008-08-05 11:02 <DIR> d-------- C:\Program Files\SoftSpot Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 17:38 --------- d-----w C:\Program Files\Nokia
2008-08-20 16:38 --------- d-----w C:\Program Files\DivX
2008-08-20 16:12 --------- d-----w C:\Program Files\EPSON
2008-08-20 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-20 14:31 --------- d-----w C:\Program Files\TubeSucker
2008-08-20 12:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-17 11:39 --------- d-----w C:\Program Files\LimeWire
2008-07-17 09:01 --------- d-----w C:\Program Files\Java
2008-07-14 12:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-07-14 11:03 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-14 11:03 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-14 10:55 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-03 13:59 309 ----a-w C:\SETCARDS.DLL
2008-07-01 07:04 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-07-01 06:57 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-07-01 06:56 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\DB\! ----

((((((((((((((((((((((((((((( snapshot@2008-08-20_14.13.26.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-21 09:05:44 10,134 ----a-r C:\WINDOWS\Installer\{3407FD83-0A2F-475E-BE94-34F1FA342C84}\callmsi.exe
+ 2008-08-21 09:05:44 136,448 ----a-r C:\WINDOWS\Installer\{3407FD83-0A2F-475E-BE94-34F1FA342C84}\egui.exe
+ 2002-07-16 04:00:00 29,184 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FBSR9ME.EXE
+ 2006-05-29 04:00:00 446,464 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FCON9ME.DLL
+ 2006-05-17 05:00:00 62,464 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FDSP9ME.DLL
+ 2004-04-27 02:01:00 77,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FGRC9ME.DLL
+ 2004-10-14 01:00:00 247,296 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FHBR9ME.DLL
+ 2005-09-27 04:20:00 60,928 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FHM09ME.DLL
+ 2005-07-06 01:02:00 57,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FHSR9ME.DLL
+ 2006-04-20 04:20:00 413,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FHT09ME.DLL
+ 2005-02-17 08:00:12 163,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FHUT9ME.DLL
+ 2005-02-17 08:00:12 20,480 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FHUT9ME.EXE
+ 2006-04-19 04:00:00 349,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FJBC9ME.DLL
+ 2006-04-19 05:00:00 76,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FMAI9ME.DLL
+ 2006-04-11 04:20:00 48,128 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FMW09ME.DLL
+ 2006-04-19 04:00:00 143,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FPRE9ME.EXE
+ 2006-04-19 04:00:00 532,480 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FPRU9ME.DLL
+ 2006-04-10 04:20:00 5,148,160 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FSR09ME.DLL
+ 2006-04-10 04:20:00 4,326,912 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FSR19ME.DLL
+ 2006-04-20 05:00:00 617,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FUIC9ME.DLL
+ 2006-03-17 01:01:00 991,232 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FUIR9ME.DLL
+ 2002-07-16 04:00:00 29,184 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FBSR9ME.EXE
+ 2006-05-29 04:00:00 446,464 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FCON9ME.DLL
+ 2006-05-17 05:00:00 62,464 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FDSP9ME.DLL
+ 2004-04-27 02:01:00 77,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FGRC9ME.DLL
+ 2004-10-14 01:00:00 247,296 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FHBR9ME.DLL
+ 2005-09-27 04:20:00 60,928 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FHM09ME.DLL
+ 2005-07-06 01:02:00 57,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FHSR9ME.DLL
+ 2006-04-20 04:20:00 413,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FHT09ME.DLL
+ 2005-02-17 08:00:12 163,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FHUT9ME.DLL
+ 2005-02-17 08:00:12 20,480 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FHUT9ME.EXE
+ 2006-04-19 04:00:00 349,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FJBC9ME.DLL
+ 2006-04-19 05:00:00 76,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FMAI9ME.DLL
+ 2006-04-11 04:20:00 48,128 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FMW09ME.DLL
+ 2006-04-19 04:00:00 143,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FPRE9ME.EXE
+ 2006-04-19 04:00:00 532,480 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FPRU9ME.DLL
+ 2006-04-10 04:20:00 5,148,160 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FSR09ME.DLL
+ 2006-04-10 04:20:00 4,326,912 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FSR19ME.DLL
+ 2006-04-20 05:00:00 617,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FUIC9ME.DLL
+ 2006-03-17 01:01:00 991,232 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_FUIR9ME.DLL
+ 2004-02-19 02:03:00 65,536 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\E_S00RP2.EXE
+ 2003-02-20 01:08:00 54,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\EPSET32.DLL
+ 2004-04-21 00:00:00 5,729 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\EPUPDATE.DAT
+ 2006-04-06 06:17:00 712,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_pro_4800f282\EPUPDATE.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 09:01 1447168]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Command WorkStation 4.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Command WorkStation 4.lnk
backup=C:\WINDOWS\pss\Command WorkStation 4.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2006-08-03 20:02 3871744 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\DB\\Desktop\\games\\Quake 2\\quake2.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\EpsonNet\\EpsonNet SetupManager\\IMANAGER.exe"=
"C:\\Program Files\\EpsonNet\\EpsonNet Config V1\\EpsonNet Config.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-07-01 09:04]
R2 BppPort;BppPort;C:\WINDOWS\system32\drivers\BPP.SYS [2000-10-04 17:35]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 22:26]
S3 TESTCAP;Mobicam, Video Capture Device;C:\WINDOWS\system32\DRIVERS\mobicam.sys [2007-05-08 21:21]
S3 v800bus;Sony Ericsson V800-Vodafone 802SE driver (WDM);C:\WINDOWS\system32\DRIVERS\v800bus.sys [2004-08-09 14:51]
S3 v800mdfl;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\v800mdfl.sys [2004-08-09 14:52]
S3 v800mdm;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\v800mdm.sys [2004-08-09 14:53]
S3 v800mgmt;Sony Ericsson V800-Vodafone 802SE USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\v800mgmt.sys [2004-08-09 14:54]
S3 v800obex;Sony Ericsson V800-Vodafone 802SE USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\v800obex.sys [2004-08-09 14:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40568082-2594-11dd-9eb4-000b7d18708b}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd602d6c-dfb8-11dc-9e45-000b7d18708b}]
\Shell\Auto\command - E:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCSuiteTrayApplication - C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
Notify-NavLogon - (no file)
MSConfigStartUp-PCSuiteTrayApplication - C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 20:21:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-21 20:24:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-21 18:23:57
ComboFix2.txt 2008-08-20 12:13:46

Pre-Run: 23,342,243,840 bytes free
Post-Run: 23,347,421,184 bytes free

207

-------------------------------------------------------------------------
hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:56 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.181.28.6:8080
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3945 bytes
-------------------------------------------------------------------------
the system otherwise seems better.

the nokia programme comes up with a whole lot of .dll module not found errors and it keeps asking if i should abort retry or ignore.do you need all of them?
oh and there are 6 svhost.exe proccesses running in task man if that means anything.

thank very much for your effort,reaaly appreciated.

cmd prompt says 'another program is currently using this file

New Member

New Member

New Member

VIP Member

New Member

New Member

New Member

VIP Member

New Member

New Member

New Member

VIP Member

New Member

New Member

New Member

New Member

New Member

VIP Member

New Member

New Member