Please Check My Hijackthis Log File

I have a Virus or something in my PC. I end the process in the task manager and delete the file in the TEMP folder. But still it comes back. I am posting the hijackthis log here and i have made a line in bold so as to see the issue. Please tell me what to do.


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 1:14:37 PM, on 4/12/2008


Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\csrss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\system32\hkcmd.exe


C:\WINDOWS\SOUNDMAN.EXE


C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe


C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


C:\Program Files\DNA\btdna.exe


C:\Documents and Settings\sunny\Application Data\RoboForm\RoboTaskBarIcon.exe


C:\WINDOWS\system32\slserv.exe


C:\Program Files\Common Files\BitDefender\BitDefender


Communicator\xcommsvr.exe


C:\Program Files\Common Files\BitDefender\BitDefender Update


Service\livesrv.exe


C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


C:\WINDOWS\system32\wuauclt.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Spyware Doctor\pctsAuxs.exe


C:\Program Files\Spyware Doctor\pctsSvc.exe


C:\Program Files\Spyware Doctor\pctsTray.exe


C:\Program Files\Windows Media Player\wmplayer.exe


C:\DOCUME~1\sunny\LOCALS~1\Temp\6VKQ322c.exe


C:\Program Files\Internet Explorer\IEXPLORE.EXE


C:\WINDOWS\system32\taskmgr.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


C:\WINDOWS\system32\wbem\wmiprvse.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program


Files\Orbitdownloader\orbitcth.dll


O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -


C:\WINDOWS\system32\msdxm.ocx


O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -


C:\Documents and Settings\sunny\Application Data\RoboForm\roboform.dll


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} -


C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe


O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE


O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program


Files\Java\jre1.5.0_04\bin\jusched.exe


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader


8.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program


Files\BitDefender\BitDefender 2008\IEShow.exe"


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender


2008\bdagent.exe"


O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe


O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"


O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"


O4 - HKCU\..\Run: [RoboForm] "C:\Documents and Settings\sunny\Application


Data\RoboForm\RoboTaskBarIcon.exe"


O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft


Office\Office10\OSA.EXE


O8 - Extra context menu item: &Download by Orbit - res://C:\Program


Files\Orbitdownloader\orbitmxt.dll/201


O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program


Files\Orbitdownloader\orbitmxt.dll/204


O8 - Extra context menu item: Customize Menu - file://C:\Documents and


Settings\sunny\Application Data\RoboForm\RoboFormComCustomizeIEMenu.html


O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program


Files\Orbitdownloader\orbitmxt.dll/203


O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program


Files\Orbitdownloader\orbitmxt.dll/202


O8 - Extra context menu item: E&xport to Microsoft Excel -


res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


O8 - Extra context menu item: Fill Forms - file://C:\Documents and


Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html


O8 - Extra context menu item: RoboForm Toolbar - file://C:\Documents and


Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html


O8 - Extra context menu item: Save Forms - file://C:\Documents and


Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html


O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -


file://C:\Documents and Settings\sunny\Application


Data\RoboForm\RoboFormComFillForms.html


O9 - Extra 'Tools' menuitem: Fill Forms -


{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Documents and


Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html


O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -


file://C:\Documents and Settings\sunny\Application


Data\RoboForm\RoboFormComSavePass.html


O9 - Extra 'Tools' menuitem: Save Forms -


{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Documents and


Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html


O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -


file://C:\Documents and Settings\sunny\Application


Data\RoboForm\RoboFormComShowToolbar.html


O9 - Extra 'Tools' menuitem: RoboForm Toolbar -


{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Documents and


Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -


C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger -


{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O17 -


HKLM\System\CCS\Services\Tcpip\..\{411A98B9-FC4B-48CC-B06D-12C81CD9A613}:


NameServer = 218.248.240.24 218.248.240.135


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL


- C:\Program Files\Common Files\BitDefender\BitDefender Update


Service\livesrv.exe


O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -


C:\Program Files\Spyware Doctor\pctsAuxs.exe


O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -


C:\Program Files\Spyware Doctor\pctsSvc.exe


O23 - Service: SmartLinkService (SLService) - Smart Link -


C:\WINDOWS\SYSTEM32\slserv.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. -


C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program


Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


--


End of file - 6391 bytes

Comments

  • Hello Sunny,


    Please download combox fix here. Do not run it yet. Print the following instructions.After you run this tool post the output and a new hijack this log.


    Best regards


    Niels

  • Hello Sunny,


    Please download combox fix here. Do not run it yet. Print the following instructions.After you run this tool post the output and a new hijack this log.


    Best regards


    Niels


    Her I am posting the combofix log and the new hijack this log. I hope this has fixed the error. Please tell me if theres anything i need to do furter.


    COMBO FIX LOG


    ComboFix 08-04-11.8 - sunny 2008-04-12 22:22:44.1 - FAT32x86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.270 [GMT 5.5:30]


    Running from: C:\Documents and Settings\sunny\Desktop\ComboFix.exe


    .


    ((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))


    .


    2008-04-12 22:16 . 2008-04-12 22:16 <DIR> d-------- C:\WINDOWS\SxsCaPendDel


    2008-04-12 22:16 . 2008-04-12 22:16 <DIR> d-------- C:\WINDOWS\LastGood


    2008-04-12 20:46 . 2008-04-12 20:46 <DIR> d--hs---- C:\FOUND.003


    2008-04-12 02:11 . 2008-04-12 02:11 <DIR> d-------- C:\Program Files\Spyware Doctor


    2008-04-12 02:11 . 2008-04-12 02:11 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\PC Tools


    2008-04-12 02:11 . 2008-04-12 02:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP


    2008-04-12 02:11 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys


    2008-04-12 02:11 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys


    2008-04-12 02:11 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys


    2008-04-12 02:11 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys


    2008-04-12 01:35 . 2008-04-12 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files


    2008-04-12 01:33 . 2008-04-12 01:33 <DIR> d--hs---- C:\FOUND.002


    2008-04-08 13:00 . 2008-04-08 13:00 <DIR> d-------- C:\Program Files\Ahead


    2008-04-06 11:30 . 2008-04-06 11:30 <DIR> d-------- C:\WINDOWS\system32\NtmsData


    2008-04-06 11:16 . 2008-04-06 11:16 <DIR> d-------- C:\Program Files\Alcohol Soft


    2008-04-06 11:14 . 2008-04-06 11:14 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys


    2008-04-05 15:11 . 2008-04-05 15:11 <DIR> d-------- C:\Program Files\HP


    2008-04-05 15:11 . 2008-04-05 15:12 106,912 --a------ C:\WINDOWS\hpqins13.dat


    2008-04-05 15:10 . 2008-04-05 15:10 <DIR> d-------- C:\WINDOWS\Downloaded Installations


    2008-04-04 11:18 . 2008-04-12 14:18 121 --a------ C:\WINDOWS\bdagent.INI


    2008-04-04 11:07 . 2008-04-12 22:04 81,984 --a------ C:\WINDOWS\system32\bdod.bin


    2008-04-04 11:06 . 2008-04-04 11:06 <DIR> d-------- C:\Program Files\BitDefender


    2008-04-04 11:05 . 2008-04-04 11:05 <DIR> d-------- C:\Program Files\Common Files\BitDefender


    2008-04-04 03:01 . 2008-04-04 03:01 <DIR> d-------- C:\Program Files\Trend Micro


    2008-04-04 02:17 . 2008-04-04 02:17 29,248 --a------ C:\WINDOWS\system32\iB0M3oar.exe


    2008-04-02 18:24 . 2008-04-02 18:24 <DIR> d-------- C:\Documents and Settings\alisha\Application Data\Orbit


    2008-03-31 10:26 . 2008-03-31 10:26 <DIR> d-------- C:\Program Files\Orbitdownloader


    2008-03-31 10:26 . 2008-03-31 10:26 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\Orbit


    2008-03-30 16:27 . 2008-03-30 16:27 <DIR> d--hs---- C:\FOUND.001


    2008-03-28 20:48 . 2008-03-28 20:48 <DIR> d-------- C:\Program Files\FLV Player


    2008-03-27 22:18 . 2008-03-27 22:18 <DIR> d-------- C:\Program Files\Pocket Tanks Deluxe


    2008-03-22 16:44 . 2008-03-22 16:44 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\Yahoo!


    2008-03-22 16:42 . 2008-03-22 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!


    2008-03-22 16:40 . 2008-03-22 16:40 <DIR> d-------- C:\Program Files\Yahoo!


    2008-03-22 14:04 . 2008-03-22 14:04 <DIR> d---s---- C:\Documents and Settings\dad\UserData


    2008-03-21 22:30 . 2008-03-21 22:30 <DIR> d-------- C:\Documents and Settings\dad\Application Data\AVG7


    2008-03-21 12:29 . 2008-03-21 12:29 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\RoboForm


    2008-03-21 11:57 . 2008-03-21 11:57 <DIR> d--hs---- C:\FOUND.000


    2008-03-16 19:14 . 2004-03-12 00:54 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys


    2008-03-16 19:14 . 2004-03-12 00:54 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys


    2008-03-15 19:25 . 2008-03-15 19:25 <DIR> d-------- C:\Documents and Settings\alisha\Application Data\vlc


    2008-03-14 19:20 . 2008-03-14 19:20 <DIR> d-------- C:\Documents and Settings\alisha\Application Data\AVG7


    2008-03-14 02:28 . 2004-03-12 00:53 26,624 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys


    2008-03-14 01:22 . 2008-03-14 01:22 <DIR> d-------- C:\WINDOWS\Sun


    2008-03-13 11:58 . 2008-03-13 11:58 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\AVG7


    2008-03-13 11:58 . 2008-03-13 11:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7


    2008-03-13 11:58 . 2008-03-13 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7


    2008-03-13 02:20 . 2008-03-13 02:20 <DIR> d-------- C:\Program Files\Slawdog


    2008-03-13 02:03 . 2008-03-13 02:03 <DIR> d-------- C:\Documents and Settings\sunny\Incomplete


    2008-03-13 02:03 . 2008-03-13 02:03 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\LimeWire


    2008-03-12 14:55 . 2008-03-12 14:55 <DIR> d-------- C:\Documents and Settings\sunny\Application Data\vlc


    2008-03-12 14:31 . 2008-03-12 14:31 <DIR> d-------- C:\Program Files\VideoLAN


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-03-12 05:55 3,982 ----a-w C:\WINDOWSkj01d.sys


    2008-03-12 05:53 20,780 ----a-w C:\WINDOWS\system32\drivers\XMS1563K.SYS


    2008-03-12 05:53 --------- d-----w C:\Documents and Settings\sunny\Application Data\BitTorrent


    2008-03-12 05:52 --------- d-----w C:\Program Files\LimeWire


    2008-03-12 05:52 --------- d-----w C:\Program Files\DNA


    2008-03-12 05:52 --------- d-----w C:\Program Files\BitTorrent


    2008-03-12 05:52 --------- d-----w C:\Documents and Settings\sunny\Application Data\DNA


    2008-03-12 05:51 --------- d-----w C:\Program Files\Java


    2008-03-12 05:51 --------- d-----w C:\Program Files\Common Files\Java


    2008-03-12 05:50 18,944 ----a-w C:\WINDOWS\ALI.EXE


    2008-03-12 05:50 14,848 ----a-w C:\WINDOWS\MAGIC.EXE


    2008-03-12 05:48 --------- d-----w C:\Program Files\HUAWEI


    2008-03-12 05:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\RoboForm


    2008-03-12 05:46 --------- d-----w C:\Program Files\Siber Systems


    2008-03-12 05:45 --------- d-----w C:\Program Files\Microsoft ActiveSync


    2008-03-12 05:42 --------- d-----w C:\Program Files\Common Files\Adobe


    2008-03-12 05:40 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-03-12 05:40 --------- d-----w C:\Program Files\Common Files\InstallShield


    2008-03-12 05:33 --------- d-----w C:\Program Files\microsoft frontpage


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-03-12 11:22 287040]


    "RoboForm"="C:\Documents and Settings\sunny\Application Data\RoboForm\RoboTaskBarIcon.exe" [2008-03-21 12:29 144448]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 12:37 114688]


    "SoundMan"="SOUNDMAN.EXE" [2004-01-09 16:24 65536 C:\WINDOWS\SOUNDMAN.EXE]


    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]


    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]


    "NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 16:20 155648]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusOverride"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\Program Files\\DNA\\btdna.exe"=


    "C:\\Program Files\\BitTorrent\\bittorrent.exe"=


    "C:\\Program Files\\LimeWire\\LimeWire.exe"=


    "C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=


    "C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=


    S0 XMS1563K;XMS1563K;C:\WINDOWS\system32\drivers\XMS1563K.sys [2008-03-12 11:23]


    *Newly Created Service* - APPMGMT


    *Newly Created Service* - CATCHME


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-04-11 18:40:04 C:\WINDOWS\Tasks\At1.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-11 19:30:04 C:\WINDOWS\Tasks\At2.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-11 20:30:04 C:\WINDOWS\Tasks\At3.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-06 21:30:04 C:\WINDOWS\Tasks\At4.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-06 22:30:06 C:\WINDOWS\Tasks\At5.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-06 23:30:06 C:\WINDOWS\Tasks\At6.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-07 00:30:04 C:\WINDOWS\Tasks\At7.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-07 01:30:06 C:\WINDOWS\Tasks\At8.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-07 02:30:04 C:\WINDOWS\Tasks\At9.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-11 03:30:04 C:\WINDOWS\Tasks\At10.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-11 04:30:04 C:\WINDOWS\Tasks\At11.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-11 05:30:02 C:\WINDOWS\Tasks\At12.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-05 06:30:16 C:\WINDOWS\Tasks\At13.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-12 07:30:04 C:\WINDOWS\Tasks\At14.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-12 08:30:04 C:\WINDOWS\Tasks\At15.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-10 09:30:04 C:\WINDOWS\Tasks\At16.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-10 10:30:04 C:\WINDOWS\Tasks\At17.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-03 20:47:40 C:\WINDOWS\Tasks\At18.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-03 20:47:40 C:\WINDOWS\Tasks\At19.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-03 20:47:40 C:\WINDOWS\Tasks\At20.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-03 20:47:40 C:\WINDOWS\Tasks\At21.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-12 15:30:04 C:\WINDOWS\Tasks\At22.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-12 16:30:06 C:\WINDOWS\Tasks\At23.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    "2008-04-11 17:30:06 C:\WINDOWS\Tasks\At24.job"


    - C:\WINDOWS\system32\iB0M3oar.exe


    .


    **************************************************************************


    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-04-12 22:23:37


    Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    Completion time: 2008-04-12 22:23:57


    ComboFix-quarantined-files.txt 2008-04-12 16:53:54


    Pre-Run: 1,495,969,792 bytes free


    Post-Run: 1,508,503,552 bytes free


    NEW HIJACKTHIS LOG


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 10:25:39 PM, on 4/12/2008


    Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\hkcmd.exe


    C:\WINDOWS\SOUNDMAN.EXE


    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\system32\msiexec.exe


    C:\Program Files\Orbitdownloader\orbitdm.exe


    C:\Program Files\Orbitdownloader\orbitnet.exe


    C:\WINDOWS\explorer.exe


    C:\WINDOWS\system32\notepad.exe


    C:\Program Files\Internet Explorer\IEXPLORE.EXE


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll


    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx


    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Documents and Settings\sunny\Application Data\RoboForm\roboform.dll


    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe


    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE


    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe


    O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"


    O4 - HKCU\..\Run: [RoboForm] "C:\Documents and Settings\sunny\Application Data\RoboForm\RoboTaskBarIcon.exe"


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201


    O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204


    O8 - Extra context menu item: Customize Menu - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComCustomizeIEMenu.html


    O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203


    O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


    O8 - Extra context menu item: Fill Forms - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html


    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html


    O8 - Extra context menu item: Save Forms - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html


    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html


    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComFillForms.html


    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html


    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComSavePass.html


    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html


    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Documents and Settings\sunny\Application Data\RoboForm\RoboFormComShowToolbar.html


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O17 - HKLM\System\CCS\Services\Tcpip\..\{411A98B9-FC4B-48CC-B06D-12C81CD9A613}: NameServer = 218.248.240.24 218.248.240.135


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe


    --


    End of file - 5155 bytes

  • The virus still exixts. Combo fix did not work.

  • Hello sunnygrover,


    Please navigate to start,my computer,double click on the icon of your hard disk, see if you can find a file called WINDOWSkj01d.sys copy it to a different location for example your desktop ,open the windows folder tasks subfolder and copy all the the files that are located there that have At(number 1-6) and this files MAGIC.EXE and ali.exe,system 32 subfolder first go to the tools menu folder options,display/view tab,uncheck the option hide system portected operating system files and check the option show hidden files and folders press on apply and ok search for these files: iB0M3oar.exe (it could be that you only see IBOM3oar). Read this how that you can archive these files. Once you have created the archive please make a new topic in this section.When you create a topic there post also the link to this topic. To upload something once you are in the screen for creating a new topic scroll down till you see the attachment section press on browse now navigate to the location where you stored your archive press on upload. Please also write down the password you used.


    Please download this program on a administrator account . You need to store it on your desktop. Now double click on it if you see a warning message please press on run a screen where you want to install will appear do not change the installation directory press on install. Now reboot your pc into safe mode by just rebooting your computer but press several times on the F8 button before the windows loading splash screen select safe mode press enter. Now log in with the administrator account (you should log in to an user account on your computer). Now press the windows button together with r now type this C:\SDFix\RunThis.bat press enter. To continue press y. If the scan is finished you will see the message press any key to continue. Please post the output of the scan report.


    Best regards


    Niels

  • Hello sunnygrover,


    Please navigate to start,my computer,double click on the icon of your hard disk, see if you can find a file called WINDOWSkj01d.sys copy it to a different location for example your desktop ,open the windows folder tasks subfolder and copy all the the files that are located there that have At(number 1-6) and this files MAGIC.EXE and ali.exe,system 32 subfolder first go to the tools menu folder options,display/view tab,uncheck the option hide system portected operating system files and check the option show hidden files and folders press on apply and ok search for these files: iB0M3oar.exe (it could be that you only see IBOM3oar). Read this how that you can archive these files. Once you have created the archive please make a new topic in this section.When you create a topic there post also the link to this topic. To upload something once you are in the screen for creating a new topic scroll down till you see the attachment section press on browse now navigate to the location where you stored your archive press on upload. Please also write down the password you used.


    Please download this program on a administrator account . You need to store it on your desktop. Now double click on it if you see a warning message please press on run a screen where you want to install will appear do not change the installation directory press on install. Now reboot your pc into safe mode by just rebooting your computer but press several times on the F8 button before the windows loading splash screen select safe mode press enter. Now log in with the administrator account (you should log in to an user account on your computer). Now press the windows button together with r now type this C:\SDFix\RunThis.bat press enter. To continue press y. If the scan is finished you will see the message press any key to continue. Please post the output of the scan report.


    Best regards


    Niels


    I did what all you told me to do. unfortunately the malware still exists. I have made another post where u told me to heading SAMPLE SUBMISSION. could you plz follow up on that.

  • Hello sunnygrover`,


    Please check my answer here. Sorry maybe it was better that I posted my answer here in this topic. Please go further here.


    Best regards


    Niels