Please Check My Hijackthis Log File
I have a Virus or something in my PC. I end the process in the task manager and delete the file in the TEMP folder. But still it comes back. I am posting the hijackthis log here and i have made a line in bold so as to see the issue. Please tell me what to do.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:37 PM, on 4/12/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\sunny\Application Data\RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender
Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update
Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\DOCUME~1\sunny\LOCALS~1\Temp\6VKQ322c.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program
Files\Orbitdownloader\orbitcth.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -
C:\Documents and Settings\sunny\Application Data\RoboForm\roboform.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} -
C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader
8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program
Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender
2008\bdagent.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Documents and Settings\sunny\Application
Data\RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Program
Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program
Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Customize Menu - file://C:\Documents and
Settings\sunny\Application Data\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program
Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program
Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Documents and
Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Documents and
Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Documents and
Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://C:\Documents and Settings\sunny\Application
Data\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Documents and
Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Documents and Settings\sunny\Application
Data\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Documents and
Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Documents and Settings\sunny\Application
Data\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Documents and
Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{411A98B9-FC4B-48CC-B06D-12C81CD9A613}:
NameServer = 218.248.240.24 218.248.240.135
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL
- C:\Program Files\Common Files\BitDefender\BitDefender Update
Service\livesrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -
C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -
C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link -
C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. -
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program
Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 6391 bytes
Comments
-
Hello Sunny,
Please download combox fix here. Do not run it yet. Print the following instructions.After you run this tool post the output and a new hijack this log.
Best regards
Niels0 -
Hello Sunny,
Please download combox fix here. Do not run it yet. Print the following instructions.After you run this tool post the output and a new hijack this log.
Best regards
Niels
Her I am posting the combofix log and the new hijack this log. I hope this has fixed the error. Please tell me if theres anything i need to do furter.
COMBO FIX LOG
ComboFix 08-04-11.8 - sunny 2008-04-12 22:22:44.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.270 [GMT 5.5:30]
Running from: C:\Documents and Settings\sunny\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.
2008-04-12 22:16 . 2008-04-12 22:16 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-12 22:16 . 2008-04-12 22:16 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-12 20:46 . 2008-04-12 20:46 <DIR> d--hs---- C:\FOUND.003
2008-04-12 02:11 . 2008-04-12 02:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-12 02:11 . 2008-04-12 02:11 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\PC Tools
2008-04-12 02:11 . 2008-04-12 02:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 02:11 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-12 02:11 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-12 02:11 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-12 02:11 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-12 01:35 . 2008-04-12 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-12 01:33 . 2008-04-12 01:33 <DIR> d--hs---- C:\FOUND.002
2008-04-08 13:00 . 2008-04-08 13:00 <DIR> d-------- C:\Program Files\Ahead
2008-04-06 11:30 . 2008-04-06 11:30 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-06 11:16 . 2008-04-06 11:16 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-04-06 11:14 . 2008-04-06 11:14 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-05 15:11 . 2008-04-05 15:11 <DIR> d-------- C:\Program Files\HP
2008-04-05 15:11 . 2008-04-05 15:12 106,912 --a------ C:\WINDOWS\hpqins13.dat
2008-04-05 15:10 . 2008-04-05 15:10 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-04 11:18 . 2008-04-12 14:18 121 --a------ C:\WINDOWS\bdagent.INI
2008-04-04 11:07 . 2008-04-12 22:04 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-04-04 11:06 . 2008-04-04 11:06 <DIR> d-------- C:\Program Files\BitDefender
2008-04-04 11:05 . 2008-04-04 11:05 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-04-04 03:01 . 2008-04-04 03:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 02:17 . 2008-04-04 02:17 29,248 --a------ C:\WINDOWS\system32\iB0M3oar.exe
2008-04-02 18:24 . 2008-04-02 18:24 <DIR> d-------- C:\Documents and Settings\alisha\Application Data\Orbit
2008-03-31 10:26 . 2008-03-31 10:26 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-03-31 10:26 . 2008-03-31 10:26 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\Orbit
2008-03-30 16:27 . 2008-03-30 16:27 <DIR> d--hs---- C:\FOUND.001
2008-03-28 20:48 . 2008-03-28 20:48 <DIR> d-------- C:\Program Files\FLV Player
2008-03-27 22:18 . 2008-03-27 22:18 <DIR> d-------- C:\Program Files\Pocket Tanks Deluxe
2008-03-22 16:44 . 2008-03-22 16:44 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\Yahoo!
2008-03-22 16:42 . 2008-03-22 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-22 16:40 . 2008-03-22 16:40 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-22 14:04 . 2008-03-22 14:04 <DIR> d---s---- C:\Documents and Settings\dad\UserData
2008-03-21 22:30 . 2008-03-21 22:30 <DIR> d-------- C:\Documents and Settings\dad\Application Data\AVG7
2008-03-21 12:29 . 2008-03-21 12:29 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\RoboForm
2008-03-21 11:57 . 2008-03-21 11:57 <DIR> d--hs---- C:\FOUND.000
2008-03-16 19:14 . 2004-03-12 00:54 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-16 19:14 . 2004-03-12 00:54 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 19:25 . 2008-03-15 19:25 <DIR> d-------- C:\Documents and Settings\alisha\Application Data\vlc
2008-03-14 19:20 . 2008-03-14 19:20 <DIR> d-------- C:\Documents and Settings\alisha\Application Data\AVG7
2008-03-14 02:28 . 2004-03-12 00:53 26,624 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-14 01:22 . 2008-03-14 01:22 <DIR> d-------- C:\WINDOWS\Sun
2008-03-13 11:58 . 2008-03-13 11:58 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\AVG7
2008-03-13 11:58 . 2008-03-13 11:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-13 11:58 . 2008-03-13 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-13 02:20 . 2008-03-13 02:20 <DIR> d-------- C:\Program Files\Slawdog
2008-03-13 02:03 . 2008-03-13 02:03 <DIR> d-------- C:\Documents and Settings\sunny\Incomplete
2008-03-13 02:03 . 2008-03-13 02:03 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\LimeWire
2008-03-12 14:55 . 2008-03-12 14:55 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\vlc
2008-03-12 14:31 . 2008-03-12 14:31 <DIR> d-------- C:\Program Files\VideoLAN
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 05:55 3,982 ----a-w C:\WINDOWSkj01d.sys
2008-03-12 05:53 20,780 ----a-w C:\WINDOWS\system32\drivers\XMS1563K.SYS
2008-03-12 05:53 --------- d-----w C:\Documents and Settings\sunny\Application Data\BitTorrent
2008-03-12 05:52 --------- d-----w C:\Program Files\LimeWire
2008-03-12 05:52 --------- d-----w C:\Program Files\DNA
2008-03-12 05:52 --------- d-----w C:\Program Files\BitTorrent
2008-03-12 05:52 --------- d-----w C:\Documents and Settings\sunny\Application Data\DNA
2008-03-12 05:51 --------- d-----w C:\Program Files\Java
2008-03-12 05:51 --------- d-----w C:\Program Files\Common Files\Java
2008-03-12 05:50 18,944 ----a-w C:\WINDOWS\ALI.EXE
2008-03-12 05:50 14,848 ----a-w C:\WINDOWS\MAGIC.EXE
2008-03-12 05:48 --------- d-----w C:\Program Files\HUAWEI
2008-03-12 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\RoboForm
2008-03-12 05:46 --------- d-----w C:\Program Files\Siber Systems
2008-03-12 05:45 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-12 05:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-12 05:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 05:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-12 05:33 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-03-12 11:22 287040]
"RoboForm"="C:\Documents and Settings\sunny\Application Data\RoboForm\RoboTaskBarIcon.exe" [2008-03-21 12:29 144448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 12:37 114688]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 16:24 65536 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 16:20 155648]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
S0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys [2008-03-12 11:23]
*Newly Created Service* - APPMGMT
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 18:40:04 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-11 19:30:04 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-11 20:30:04 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-06 21:30:04 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-06 22:30:06 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-06 23:30:06 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-07 00:30:04 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-07 01:30:06 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-07 02:30:04 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-11 03:30:04 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-11 04:30:04 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-11 05:30:02 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-05 06:30:16 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-12 07:30:04 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-12 08:30:04 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-10 09:30:04 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-10 10:30:04 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-03 20:47:40 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-03 20:47:40 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-03 20:47:40 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-03 20:47:40 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-12 15:30:04 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-12 16:30:06 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\iB0M3oar.exe
"2008-04-11 17:30:06 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\iB0M3oar.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 22:23:37
Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-12 22:23:57
ComboFix-quarantined-files.txt 2008-04-12 16:53:54
Pre-Run: 1,495,969,792 bytes free
Post-Run: 1,508,503,552 bytes free
NEW HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:39 PM, on 4/12/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Documents and Settings\sunny\Application Data\RoboForm\roboform.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Documents and Settings\sunny\Application Data\RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Customize Menu - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{411A98B9-FC4B-48CC-B06D-12C81CD9A613}: NameServer = 218.248.240.24 218.248.240.135
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 5155 bytes0 -
The virus still exixts. Combo fix did not work.
0 -
Hello sunnygrover,
Please navigate to start,my computer,double click on the icon of your hard disk, see if you can find a file called WINDOWSkj01d.sys copy it to a different location for example your desktop ,open the windows folder tasks subfolder and copy all the the files that are located there that have At(number 1-6) and this files MAGIC.EXE and ali.exe,system 32 subfolder first go to the tools menu folder options,display/view tab,uncheck the option hide system portected operating system files and check the option show hidden files and folders press on apply and ok search for these files: iB0M3oar.exe (it could be that you only see IBOM3oar). Read this how that you can archive these files. Once you have created the archive please make a new topic in this section.When you create a topic there post also the link to this topic. To upload something once you are in the screen for creating a new topic scroll down till you see the attachment section press on browse now navigate to the location where you stored your archive press on upload. Please also write down the password you used.
Please download this program on a administrator account . You need to store it on your desktop. Now double click on it if you see a warning message please press on run a screen where you want to install will appear do not change the installation directory press on install. Now reboot your pc into safe mode by just rebooting your computer but press several times on the F8 button before the windows loading splash screen select safe mode press enter. Now log in with the administrator account (you should log in to an user account on your computer). Now press the windows button together with r now type this C:\SDFix\RunThis.bat press enter. To continue press y. If the scan is finished you will see the message press any key to continue. Please post the output of the scan report.
Best regards
Niels0 -
Hello sunnygrover,
Please navigate to start,my computer,double click on the icon of your hard disk, see if you can find a file called WINDOWSkj01d.sys copy it to a different location for example your desktop ,open the windows folder tasks subfolder and copy all the the files that are located there that have At(number 1-6) and this files MAGIC.EXE and ali.exe,system 32 subfolder first go to the tools menu folder options,display/view tab,uncheck the option hide system portected operating system files and check the option show hidden files and folders press on apply and ok search for these files: iB0M3oar.exe (it could be that you only see IBOM3oar). Read this how that you can archive these files. Once you have created the archive please make a new topic in this section.When you create a topic there post also the link to this topic. To upload something once you are in the screen for creating a new topic scroll down till you see the attachment section press on browse now navigate to the location where you stored your archive press on upload. Please also write down the password you used.
Please download this program on a administrator account . You need to store it on your desktop. Now double click on it if you see a warning message please press on run a screen where you want to install will appear do not change the installation directory press on install. Now reboot your pc into safe mode by just rebooting your computer but press several times on the F8 button before the windows loading splash screen select safe mode press enter. Now log in with the administrator account (you should log in to an user account on your computer). Now press the windows button together with r now type this C:\SDFix\RunThis.bat press enter. To continue press y. If the scan is finished you will see the message press any key to continue. Please post the output of the scan report.
Best regards
Niels
I did what all you told me to do. unfortunately the malware still exists. I have made another post where u told me to heading SAMPLE SUBMISSION. could you plz follow up on that.0
