somethings infected

M

mkjaekmi

New Member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:39 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zango\bin\10.1.181.0\Srv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: SXG Advisor - {606C68BF-D3B8-49DC-9CEE-135B19698E93} - C:\WINDOWS\dgtxrdfrmw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Zango /fleok=1D8A83A5C2E4137E90A4612A1FBB39BFE4976E26CAEDA120180A196D6093 - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll
O3 - Toolbar: ekvgsnw - {FDACA365-AC49-4205-ADB4-489C5A221D24} - C:\WINDOWS\ekvgsnw.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.1.181.0\ZangoSA.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.1.181.0\Weather.exe" -auto
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://www.ongamenet.com/p3test/p3instal.cab
O21 - SSODL: alofkmn - {67260B3B-3A90-408E-BE9A-E95ACFF8A8B0} - C:\WINDOWS\alofkmn.dll
O21 - SSODL: bxlrvps - {57EBC46D-DBC0-4144-8834-CEC6335EA8EB} - C:\WINDOWS\bxlrvps.dll
O21 - SSODL: MonWin - {df5b761e-1842-4171-a917-c4ca280c4206} - C:\WINDOWS\Installer\{df5b761e-1842-4171-a917-c4ca280c4206}\MonWin.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDSignet Registration Service (IDRegSvr) - Unknown owner - C:\Program Files\IDSignet\ID-Sign\IDRegSvr.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 5937 bytes












p.s. is zango a fake installer with virus/malware?
 
Zango isn't a fake installer, but it is adware, and I strongly suggest you remove it.

Please click on Start -> Control Panel -> Add or Remove Programs. Click on Zango or anything with Zango in the name and click Remove.

Once done, please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
 
ComboFix 07-08-17.2 - "Owner" 2008-02-27 16:21:05.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.271 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1\ShoppingReport
C:\DOCUME~1\Owner\APPLIC~1\ShoppingReport\cs\Config.xml
C:\DOCUME~1\Owner\APPLIC~1\ShoppingReport\cs\db\Aliases.dbs
C:\DOCUME~1\Owner\APPLIC~1\ShoppingReport\cs\db\Sites.dbs
C:\DOCUME~1\Owner\APPLIC~1\ShoppingReport\cs\dwld\WhiteList.xip
C:\DOCUME~1\Owner\APPLIC~1\ShoppingReport\cs\report\aggr_storage.xml
C:\DOCUME~1\Owner\APPLIC~1\ShoppingReport\cs\report\send_storage.xml
C:\DOCUME~1\Owner\APPLIC~1\ShoppingReport\cs\res1\WhiteList.dbs
C:\DOCUME~1\Owner\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\Owner\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\Owner\FAVORI~1.\Spyware&Malware Protection.url
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe


((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))


2008-02-26 00:45 81,920 --a------ C:\WINDOWS\fkxvkns.exe
2008-02-26 00:45 335,872 --a------ C:\WINDOWS\bxlrvps.dll
2008-02-26 00:45 266,240 --a------ C:\WINDOWS\dgtxrdfrmw.dll
2008-02-26 00:45 200,704 --a------ C:\WINDOWS\alofkmn.dll
2008-02-26 00:45 176,128 --a------ C:\WINDOWS\ekvgsnw.dll
2008-02-22 16:57 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-22 16:53 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-22 16:42 <DIR> dr-h----- C:\MSOCache
2008-02-09 08:14 <DIR> d-------- C:\DOCUME~1\Owner\AbiSuite
2008-01-27 01:23 <DIR> d-------- C:\DOCUME~1\Owner\SmitfraudFix


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-24 00:37 --------- d-------- C:\Program Files\Warcraft III
2008-02-22 23:53 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2008-02-20 02:53 --------- d-------- C:\Program Files\LimeWire
2008-01-24 00:31 --------- d-------- C:\Program Files\K-Lite Codec Pack
2008-01-24 00:31 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
2008-01-24 00:26 --------- d-------- C:\Program Files\DivX
2008-01-24 00:22 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
2008-01-21 15:20 --------- d-------- C:\Program Files\Google
2008-01-20 19:16 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2008-01-20 18:40 --------- d-------- C:\Program Files\Azureus
2008-01-20 15:01 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2008-01-20 13:51 1582 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-20 00:10 --------- d-------- C:\Program Files\Yahoo!
2008-01-19 23:28 --------- d-------- C:\Program Files\IDSignet
2008-01-18 22:42 13312 --a-s---- C:\WINDOWS\system32\shlahsd.dll
2008-01-18 22:41 --------- d-------- C:\Program Files\MySpace
2008-01-18 22:40 --------- d-------- C:\Program Files\Free Download Manager
2008-01-18 21:46 --------- d-------- C:\Program Files\Common Files\INCA Shared
2008-01-18 21:45 --------- d--h----- C:\DOCUME~1\Owner\APPLIC~1\ijjigame
2008-01-18 21:40 --------- d--h----- C:\Program Files\InstallShield Installation Information




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:53, on 2008-02-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SXG Advisor - {606C68BF-D3B8-49DC-9CEE-135B19698E93} - C:\WINDOWS\dgtxrdfrmw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ekvgsnw - {FDACA365-AC49-4205-ADB4-489C5A221D24} - C:\WINDOWS\ekvgsnw.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://www.ongamenet.com/p3test/p3instal.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O21 - SSODL: alofkmn - {67260B3B-3A90-408E-BE9A-E95ACFF8A8B0} - C:\WINDOWS\alofkmn.dll
O21 - SSODL: bxlrvps - {57EBC46D-DBC0-4144-8834-CEC6335EA8EB} - C:\WINDOWS\bxlrvps.dll
O21 - SSODL: MonWin - {df5b761e-1842-4171-a917-c4ca280c4206} - C:\WINDOWS\Installer\{df5b761e-1842-4171-a917-c4ca280c4206}\MonWin.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDSignet Registration Service (IDRegSvr) - Unknown owner - C:\Program Files\IDSignet\ID-Sign\IDRegSvr.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 7151 bytes
 
It looks like your ComboFix log has been cut off. Please post the entire log, which can be located at C:\ComboFix.txt, splitting it over multiple posts if necessary.
 
Use Hijackthis and delete this:

C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe Fuzzy Algorithmcheck (2.56 / 5.00), Nasty

O2 - BHO: Zango /fleok=1D8A83A5C2E4137E90A4612A1FBB39BFE4976E26CAED A120180A196D6093 - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll
Must be fixed! HostIE.dll - ZangoSearch, http://securityresponse.symantec.com/avc enter/venc/data/adware.zangosearch.html adware variant - also see this_note, http://www.benedelman.org/spyware/180-af filiates/

O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll
Must be fixed! HostIE.dll - ZangoSearch, http://securityresponse.symantec.com/avc enter/venc/data/adware.zangosearch.html adware variant - also see this_note, http://www.benedelman.org/spyware/180-af filiates/

O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.1.181.0\OEAddOn.exe Fuzzy Algorithmcheck (2.24 / 5.00), Nasty

O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.1.181.0\Weather.exe" -auto
Fuzzy Algorithmcheck (2.56 / 5.00), Nasty

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
Nasty Fuzzy Algorithmcheck (2.45 / 5.00), Nasty

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
Fuzzy Algorithmcheck (2.45 / 5.00), Nasty

or copy the HijackThis log here: www.hijackthis.de and click Analyze than you'll see what's going on :)
 
Last edited:
AlphaBlues, it appears you have not even looked at the most recent log that mkjaekmi has posted. In addition, your advice has missed the main infection and would not even be effective at removing the infections you have identified. Be aware that online analysers like that are unreliable at best, and the advice contained can be downright dangerous.

While I am always gratified to see people trying to help, please understand that by responding to logs without a firm understanding of what's going on you risk doing more harm than good, and may inadvertently damage the user's system. I strongly suggest that you put the time into learning to analyse logs properly before responding to real logs.
 
ComboFix 07-08-17.2 - "Owner" 2008-02-27 4:11:27.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.163 [GMT -5:00]


((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))


2008-02-26 00:45 81,920 --a------ C:\WINDOWS\fkxvkns.exe
2008-02-26 00:45 335,872 --a------ C:\WINDOWS\bxlrvps.dll
2008-02-26 00:45 266,240 --a------ C:\WINDOWS\dgtxrdfrmw.dll
2008-02-26 00:45 200,704 --a------ C:\WINDOWS\alofkmn.dll
2008-02-26 00:45 176,128 --a------ C:\WINDOWS\ekvgsnw.dll
2008-02-22 16:57 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-22 16:53 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-22 16:42 <DIR> dr-h----- C:\MSOCache
2008-02-09 08:14 <DIR> d-------- C:\DOCUME~1\Owner\AbiSuite
2008-01-27 01:23 <DIR> d-------- C:\DOCUME~1\Owner\SmitfraudFix


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-24 00:37 --------- d-------- C:\Program Files\Warcraft III
2008-02-22 23:53 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2008-02-20 02:53 --------- d-------- C:\Program Files\LimeWire
2008-01-24 00:31 --------- d-------- C:\Program Files\K-Lite Codec Pack
2008-01-24 00:31 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
2008-01-24 00:26 --------- d-------- C:\Program Files\DivX
2008-01-24 00:22 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
2008-01-21 15:20 --------- d-------- C:\Program Files\Google
2008-01-20 19:16 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2008-01-20 18:40 --------- d-------- C:\Program Files\Azureus
2008-01-20 15:01 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2008-01-20 13:51 1582 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-20 00:10 --------- d-------- C:\Program Files\Yahoo!
2008-01-19 23:28 --------- d-------- C:\Program Files\IDSignet
2008-01-18 22:42 13312 --a-s---- C:\WINDOWS\system32\shlahsd.dll
2008-01-18 22:41 --------- d-------- C:\Program Files\MySpace
2008-01-18 22:40 --------- d-------- C:\Program Files\Free Download Manager
2008-01-18 21:46 --------- d-------- C:\Program Files\Common Files\INCA Shared
2008-01-18 21:45 --------- d--h----- C:\DOCUME~1\Owner\APPLIC~1\ijjigame
2008-01-18 21:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2008-01-18 21:40 --------- d-------- C:\Program Files\NHN USA
2008-01-14 21:23 --------- d-------- C:\Program Files\eRightSoft
2007-12-24 13:49 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-20 23:11 81920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-04 13:38 550912 --a------ C:\WINDOWS\system32\oleaut32.dll
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{606C68BF-D3B8-49DC-9CEE-135B19698E93}]
2008-02-25 17:56 266240 --a------ C:\WINDOWS\dgtxrdfrmw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-07-08 16:16]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-07-01 18:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-21 15:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"alofkmn"= {67260B3B-3A90-408E-BE9A-E95ACFF8A8B0} - C:\WINDOWS\alofkmn.dll [2008-02-25 17:56 200704]
"bxlrvps"= {57EBC46D-DBC0-4144-8834-CEC6335EA8EB} - C:\WINDOWS\bxlrvps.dll [2008-02-25 17:56 335872]
"MonWin"= {df5b761e-1842-4171-a917-c4ca280c4206} - C:\WINDOWS\Installer\{df5b761e-1842-4171-a917-c4ca280c4206}\MonWin.dll [2008-02-26 00:46 17958]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
C:\HNC\HncUpdate.exe /A

R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys
S3 IDRegSvr;IDSignet Registration Service;"C:\Program Files\IDSignet\ID-Sign\IDRegSvr.exe" -d
S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\usb101et.sys


Contents of the 'Scheduled Tasks' folder
2008-02-09 14:39:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2008-02-27 08:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart\RegistrySmart.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 04:14:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-02-27 4:18:15
C:\ComboFix-quarantined-files.txt ... 2008-02-27 04:18
C:\ComboFix2.txt ... 2008-02-27 06:07
C:\ComboFix3.txt ... 2008-02-27 16:44

--- E O F ---




P.S For future references, where do I go to see the combofix.txt? In program files?

Thank You
 
Sorry about the delay, unfortunately I have a lot of logs to deal with and only a limited amount of time in which to do so. The ComboFix report should be located in a file called ComboFix.txt on the root of the C:\ drive.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:
  • O3 - Toolbar: ekvgsnw - {FDACA365-AC49-4205-ADB4-489C5A221D24} - C:\WINDOWS\ekvgsnw.dll
  • O18 - Protocol: ipp - (no CLSID) - (no file)
  • O18 - Protocol: msdaipp - (no CLSID) - (no file)
Please close all open windows except for HijackThis and choose Fix checked

  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\fkxvkns.exe
C:\WINDOWS\bxlrvps.dll
C:\WINDOWS\dgtxrdfrmw.dll
C:\WINDOWS\alofkmn.dll
C:\WINDOWS\ekvgsnw.dll
C:\WINDOWS\Installer\{df5b761e-1842-4171-a917-c4ca280c4206}\MonWin.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{606C68BF-D3B8-49DC-9CEE-135B19698E93}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"alofkmn"=-
"bxlrvps"=-
"MonWin"=-
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

How is your system running now?
 
Still seems theres something wrong. After my pc rebooted, it said in the icon (bottom right) *your computer may be infected* Also, there was never the 018 proto

Anyways, here's the new log

ComboFix 07-08-17.2 - "Owner" 2008-02-29 0:51:53.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.949.82.1033.18.272 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\fkxvkns.exe
C:\WINDOWS\bxlrvps.dll
C:\WINDOWS\dgtxrdfrmw.dll
C:\WINDOWS\alofkmn.dll
C:\WINDOWS\ekvgsnw.dll
C:\WINDOWS\Installer\{df5b761e-1842-4171-a917-c4ca280c4206}\MonWin.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\Owner\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\Owner\FAVORI~1.\Spyware&Malware Protection.url
C:\WINDOWS\alofkmn.dll
C:\WINDOWS\bxlrvps.dll
C:\WINDOWS\dgtxrdfrmw.dll
C:\WINDOWS\ekvgsnw.dll
C:\WINDOWS\fkxvkns.exe
C:\WINDOWS\Installer\{df5b761e-1842-4171-a917-c4ca280c4206}\MonWin.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm


((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 )))))))))))))))))))))))))))))))


2008-02-22 16:57 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-22 16:53 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-22 16:42 <DIR> dr-h----- C:\MSOCache
2008-02-09 08:14 <DIR> d-------- C:\DOCUME~1\Owner\AbiSuite


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-28 05:51 --------- d-------- C:\Program Files\Warcraft III
2008-02-22 23:53 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2008-02-20 02:53 --------- d-------- C:\Program Files\LimeWire
2008-01-24 00:31 --------- d-------- C:\Program Files\K-Lite Codec Pack
2008-01-24 00:31 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Real
2008-01-24 00:26 --------- d-------- C:\Program Files\DivX
2008-01-24 00:22 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
2008-01-21 15:20 --------- d-------- C:\Program Files\Google
2008-01-20 19:16 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2008-01-20 18:40 --------- d-------- C:\Program Files\Azureus
2008-01-20 15:01 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2008-01-20 13:51 1582 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-20 00:10 --------- d-------- C:\Program Files\Yahoo!
2008-01-19 23:28 --------- d-------- C:\Program Files\IDSignet
2008-01-18 22:42 13312 --a-s---- C:\WINDOWS\system32\shlahsd.dll
2008-01-18 22:41 --------- d-------- C:\Program Files\MySpace
2008-01-18 22:40 --------- d-------- C:\Program Files\Free Download Manager
2008-01-18 21:46 --------- d-------- C:\Program Files\Common Files\INCA Shared
2008-01-18 21:45 --------- d--h----- C:\DOCUME~1\Owner\APPLIC~1\ijjigame
2008-01-18 21:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2008-01-18 21:40 --------- d-------- C:\Program Files\NHN USA
2008-01-14 21:23 --------- d-------- C:\Program Files\eRightSoft
2007-12-24 13:49 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-20 23:11 81920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-04 13:38 550912 --a------ C:\WINDOWS\system32\oleaut32.dll
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-07-08 16:16]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-07-01 18:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-21 15:20]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
C:\HNC\HncUpdate.exe /A

R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys
S3 IDRegSvr;IDSignet Registration Service;"C:\Program Files\IDSignet\ID-Sign\IDRegSvr.exe" -d
S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\usb101et.sys


Contents of the 'Scheduled Tasks' folder
2008-02-09 14:39:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2008-02-27 08:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart\RegistrySmart.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-29 01:04:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-02-29 1:06:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-02-29 01:06
C:\ComboFix2.txt ... 2008-02-27 04:18
C:\ComboFix3.txt ... 2008-02-27 06:07

--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:54 AM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://www.ongamenet.com/p3test/p3instal.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDSignet Registration Service (IDRegSvr) - Unknown owner - C:\Program Files\IDSignet\ID-Sign\IDRegSvr.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4606 bytes
 
Still a few things to go.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between good and malicious use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 
SmitFraudFix v2.274

Scan done at 11:04:54.96, 03/01/2008 Sat
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 hosts


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\WINDOWS


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\WINDOWS\system


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\WINDOWS\Web


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\WINDOWS\system32


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\WINDOWS\system32\LogFiles


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\Documents and Settings\Owner


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\Documents and Settings\Owner\Application Data


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Start Menu


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Desktop


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 C:\Program Files


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Corrupted keys


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Rustock



뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 DNS

Description: VIA Networking Velocity Family Giga-bit Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11

Description: VIA Networking Velocity Family Giga-bit Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.15
DNS Server Search Order: 24.29.103.16

HKLM\SYSTEM\CCS\Services\Tcpip\..\{82912F54-ABBF-4D8F-B0CB-A61311C32FF0}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{84AB7961-C4EE-4D1E-83E3-F6844C4C724E}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FF8A3BCA-CF5B-43AE-878C-E197341B1D75}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{82912F54-ABBF-4D8F-B0CB-A61311C32FF0}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{84AB7961-C4EE-4D1E-83E3-F6844C4C724E}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FF8A3BCA-CF5B-43AE-878C-E197341B1D75}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{82912F54-ABBF-4D8F-B0CB-A61311C32FF0}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{84AB7961-C4EE-4D1E-83E3-F6844C4C724E}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FF8A3BCA-CF5B-43AE-878C-E197341B1D75}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 Scanning for wininet.dll infection


뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣뻣 End
 
Sorry, I missed your earlier post before.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entry:
  • O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
Please close all open windows except for HijackThis and choose Fix checked

Please delete the following file:
C:\WINDOWS\system32\shlahsd.dll

Please reboot and post a new HijackThis log. How is your system running now?
 
theres no shlahsd in window/system 32 folder. Only thing close to it is shellext
System seems to be running fine now. Is there any other things i can delete?
 
That should be the last file. It was appearing in your ComboFix log, and while it's certainly possible that a protection program has removed it since then, I'd like to make sure that that's the case and that it's not hidden.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    [B]C:\WINDOWS\system32\shlahsd.dll[/B]
  • Return to OTMoveIt2, right click in the Paste Standard List of Files/Folders to be Moved window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. These results are also located at C:\_OTMoveIt\MovedFiles\Date_Time.log, where Date_Time is the date and time you ran OTMoveIt.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
DllUnregisterServer procedure not found in C:\WINDOWS\system32\shlahsd.dll
C:\WINDOWS\system32\shlahsd.dll NOT unregistered.
C:\WINDOWS\system32\shlahsd.dll moved successfully.

OTMoveIt2 v1.0.20 log created on 03082008_235556
 
Excellent, that's gotten rid of that last file, I'd just like to see one more HijackThis log to make sure that we've gotten everything.
 
I think theres still something left, my comp is still slow.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:40 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\antiviirus.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} (ImPlayer Control) - http://activexdown.paran.com/paranactivex/data/ImPlayer.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://www.ongamenet.com/p3test/p3instal.cab
O21 - SSODL: KernelCD - {dee6851b-a492-48ec-881f-1bbe9aea5f43} - C:\WINDOWS\Installer\{dee6851b-a492-48ec-881f-1bbe9aea5f43}\KernelCD.dll
O21 - SSODL: zip - {41c95821-d9f1-49cf-914d-301550ad3e0f} - C:\WINDOWS\Installer\{41c95821-d9f1-49cf-914d-301550ad3e0f}\zip.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDSignet Registration Service (IDRegSvr) - Unknown owner - C:\Program Files\IDSignet\ID-Sign\IDRegSvr.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 4603 bytes


Thank you
 
You must log in or register to reply here.
Back
Top