PDA

View Full Version : Suspected Virtumonde Infection - Please Advise



Ell49
2007-12-30, 03:13
A couple days ago, I noticed AVG freaking out about a suspected virus. Spybot and Ad-Aware didn't detect anything, so I launched Kaspersky--this was what it found:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 28, 2007 9:22:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/12/2007
Kaspersky Anti-Virus database records: 499159
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 89217
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:30:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1549OinUninstaller.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1549OinUninstaller.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Liz\.housecall6.6\Quarantine\stany.exe.bac_a01664 Infected: Trojan.Win32.Pakes.bvr skipped
C:\Documents and Settings\Liz\.housecall6.6\Quarantine\stany[1].exe.bac_a01664 Infected: Trojan.Win32.Pakes.bvr skipped
C:\Documents and Settings\Liz\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Liz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Liz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Liz\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Liz\Local Settings\History\History.IE5\MSHist012007122820071229\index.dat Object is locked skipped
C:\Documents and Settings\Liz\Local Settings\Temp\k11u88.exe/data0006 Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Documents and Settings\Liz\Local Settings\Temp\k11u88.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Liz\Local Settings\Temp\TMP2A8.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Liz\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Liz\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B8BE435C-D757-4D7B-BC86-0DA16D93301A}\RP723\A0176448.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{B8BE435C-D757-4D7B-BC86-0DA16D93301A}\RP723\A0176448.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B8BE435C-D757-4D7B-BC86-0DA16D93301A}\RP723\A0176552.exe Object is locked skipped
C:\System Volume Information\_restore{B8BE435C-D757-4D7B-BC86-0DA16D93301A}\RP723\A0176556.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{36CEB6AD-4C7F-4177-9A93-425CF6D19FEA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fccdddd.dll Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ssqrp.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

I also ran VundoFix this morning, after the trial version of Spyware Doctor identified the bug as Virtumonde. Here is what the most recent HJT log had to say:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:06 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Grisoft\AVG Free\avgvv.exe
C:\Program Files\MUSHclient\mushclient.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrp.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - C:\WINDOWS\system32\fccdddd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {81BFBB8D-3732-4FA6-92DC-C9A4AA002A09} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: fccdddd - fccdddd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7188 bytes

I hope this helps!

ken545
2007-12-30, 16:27
Ell49

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


FYI Games by Yazzle is something you want to stay away from, they most times have things bundled with the downloads that you do not need on your system...


Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall




This is important , do this before you post a new log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Ell49.exe



I need to see the Combofix log and a New HJT log renamed please

Ell49
2007-12-30, 21:17
I did as you requested--unfortunately, I now have a useless zero-byte icon for 'combofix.exe', and the system is not letting me delete it--it says it's being used by something. Anyway, here's the Combofix log:

ComboFix 07-12-21.4 - Liz 2007-12-30 13:44:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.155 [GMT -5:00]
Running from: C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\XB379TW6\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-29 20:30 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gyooklgtdfhs.sys
2007-12-29 20:17 . 2007-12-30 04:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-29 20:17 . 2007-12-30 03:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-29 20:17 . 2007-12-30 03:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-29 20:17 . 2007-12-30 03:19 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-29 19:26 . 2007-12-30 13:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 14:09 . 2007-12-29 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-29 13:48 . 2007-12-30 04:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-29 13:48 . 2007-12-29 13:48 <DIR> d-------- C:\Documents and Settings\Liz\Application Data\PC Tools
2007-12-29 13:48 . 2007-12-29 13:51 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-29 13:48 . 2007-12-29 13:51 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-29 13:48 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-29 13:48 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-29 13:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-28 22:34 . 2007-12-28 22:34 <DIR> d-------- C:\KAV
2007-12-28 17:08 . 2003-05-02 22:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-28 16:53 . 2007-12-28 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 16:52 . 2007-12-28 16:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-28 03:49 . 2007-12-28 03:49 <DIR> d-------- C:\Documents and Settings\Liz\Application Data\TrojanHunter
2007-12-28 03:42 . 2007-12-30 13:35 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-28 03:16 . 2007-12-28 03:16 <DIR> d-------- C:\VundoFix Backups
2007-12-28 02:58 . 2007-12-28 02:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 02:10 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-28 01:42 . 2007-12-28 01:42 <DIR> d-------- C:\Program Files\Safer Networking
2007-12-27 23:34 . 2007-12-28 02:22 <DIR> d-------- C:\Documents and Settings\Liz\.housecall6.6
2007-12-27 22:29 . 2007-12-27 22:29 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-27 22:29 . 2007-12-27 22:29 <DIR> d-------- C:\Temp\cEeer12
2007-12-27 22:29 . 2007-12-27 22:29 <DIR> d-------- C:\Temp
2007-11-29 09:54 . 2007-11-29 09:54 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-11-16 21:00 . 2007-12-29 22:09 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-16 21:00 . 2007-12-29 14:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 04:10 . 2007-12-12 03:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-14 04:10 . 2007-11-14 04:10 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 18:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-30 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-30 09:01 --------- d-----w C:\Program Files\MUSHclient
2007-12-30 01:34 --------- d-----w C:\Documents and Settings\Liz\Application Data\AVG7
2007-12-29 19:10 --------- d-----w C:\Program Files\Lavasoft
2007-12-29 19:10 --------- d-----w C:\Documents and Settings\Liz\Application Data\Lavasoft
2007-12-28 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 21:20 --------- d-----w C:\Program Files\Trillian
2007-12-28 05:26 --------- d-----w C:\Program Files\QuickTime
2007-12-28 05:26 --------- d-----w C:\Program Files\iTunes
2007-12-14 21:17 --------- d-----w C:\Program Files\World of Warcraft
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-28 04:04 44,000 ----a-w C:\Documents and Settings\Liz\Application Data\GDIPFONTCACHEV1.DAT
2006-01-13 01:54 234,357 ----a-w C:\Program Files\mp.zip
2006-01-12 21:44 639,711 ----a-w C:\Program Files\zsnesw142.zip
2005-12-05 23:28 916,806 ------w C:\Program Files\Dec2005_MDX1_x86.cab
2005-12-05 23:28 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab
2005-12-05 23:28 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab
2005-12-05 23:28 41,888 ------w C:\Program Files\dxdllreg_x86.cab
2005-12-05 23:28 3,673,932 ------w C:\Program Files\Dec2005_MDX1_x86_Archive.cab
2005-12-05 23:28 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab
2005-12-05 23:27 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab
2005-12-05 23:00 976,020 ------w C:\Program Files\BDAXP.cab
2005-12-05 23:00 81,092 ------w C:\Program Files\dxupdate.cab
2005-12-05 23:00 74,448 ------w C:\Program Files\DSETUP.dll
2005-12-05 23:00 703,080 ------w C:\Program Files\BDA.cab
2005-12-05 23:00 484,560 ------w C:\Program Files\DXSETUP.exe
2005-12-05 23:00 2,247,888 ------w C:\Program Files\dsetup32.dll
2005-12-05 23:00 15,493,481 ------w C:\Program Files\DirectX.cab
2005-12-05 23:00 13,265,040 ------w C:\Program Files\dxnt.cab
2005-12-05 23:00 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab
2005-12-05 23:00 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab
2005-12-05 23:00 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab
2005-12-05 23:00 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab
2005-12-05 23:00 1,156,363 ------w C:\Program Files\BDANT.cab
2005-12-05 23:00 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab
2005-12-05 23:00 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab
2005-12-05 23:00 1,065,813 ------w C:\Program Files\Jun2005_d3dx9_26_x86.cab
2005-12-05 23:00 1,014,113 ------w C:\Program Files\Feb2005_d3dx9_24_x86.cab
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 593,920 2003-03-21 03:13:38 C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe

----a-w 774,144 2003-03-21 05:05:42 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe

----a-w 66,680 2004-02-29 16:14:00 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 274,432 2005-09-16 13:43:06 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 437,008 2005-12-04 20:38:58 C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe

----a-w 155,648 2006-01-17 03:36:29 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 1,415,824 2005-05-31 06:04:00 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe

----a-w 124,112 2004-07-20 00:50:00 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}]
C:\WINDOWS\system32\fccdddd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\irprops.cpl]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" []
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:54]

C:\Documents and Settings\Liz\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-03-04 17:23:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-05 23:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}"= C:\WINDOWS\system32\fccdddd.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdddd]
fccdddd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""


.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 21:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-07-09 22:33:16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1144393161.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-12-30 18:50:47 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 13:51:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 13:56:26 - machine was rebooted
.
2007-12-22 08:01:51 --- E O F ---

And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:22 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Ell49.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

ken545
2007-12-30, 21:56
Hello,

I need to see an entire Hijackthis log when you post it please. Combofix picked up and infection that we need to remove, its a trojan that overwrites legitimate windows programs and files and substitutes its own infected version.

Do these in order please.

You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer for it to take effect.


===============================



Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::



File::
C:\WINDOWS\system32\fccdddd.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdddd]


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



=========================================


You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) and save it to your desktop

* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**


Let me see the New Combofix log, the FindAWF log and a new HJT log

Ell49
2007-12-31, 03:18
Combofix:

ComboFix 07-12-21.4 - Liz 2007-12-30 19:52:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.161 [GMT -5:00]
Running from: C:\Documents and Settings\Liz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Liz\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\fccdddd.dll
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-30 14:22 . 2007-12-30 14:22 <DIR> d-------- C:\Program Files\Opera
2007-12-30 14:00 . 2007-12-30 14:00 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-29 20:30 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gyooklgtdfhs.sys
2007-12-29 20:17 . 2007-12-30 04:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-29 20:17 . 2007-12-30 03:19 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-29 20:17 . 2007-12-30 03:19 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-29 20:17 . 2007-12-30 03:19 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-29 19:26 . 2007-12-30 19:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-29 14:09 . 2007-12-29 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-29 13:48 . 2007-12-30 04:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-29 13:48 . 2007-12-29 13:48 <DIR> d-------- C:\Documents and Settings\Liz\Application Data\PC Tools
2007-12-29 13:48 . 2007-12-29 13:51 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-29 13:48 . 2007-12-29 13:51 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-29 13:48 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-29 13:48 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-29 13:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-28 22:34 . 2007-12-28 22:34 <DIR> d-------- C:\KAV
2007-12-28 17:08 . 2003-05-02 22:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-28 16:53 . 2007-12-28 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 16:52 . 2007-12-28 16:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-28 03:49 . 2007-12-28 03:49 <DIR> d-------- C:\Documents and Settings\Liz\Application Data\TrojanHunter
2007-12-28 03:42 . 2007-12-30 13:35 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-28 03:16 . 2007-12-28 03:16 <DIR> d-------- C:\VundoFix Backups
2007-12-28 02:58 . 2007-12-28 02:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-28 02:10 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-28 01:42 . 2007-12-28 01:42 <DIR> d-------- C:\Program Files\Safer Networking
2007-12-27 23:34 . 2007-12-28 02:22 <DIR> d-------- C:\Documents and Settings\Liz\.housecall6.6
2007-12-27 22:29 . 2007-12-27 22:29 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-27 22:29 . 2007-12-27 22:29 <DIR> d-------- C:\Temp\cEeer12
2007-12-27 22:29 . 2007-12-27 22:29 <DIR> d-------- C:\Temp
2007-11-29 09:54 . 2007-11-29 09:54 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-11-16 21:00 . 2007-12-29 22:09 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-16 21:00 . 2007-12-29 14:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 04:10 . 2007-12-12 03:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-14 04:10 . 2007-11-14 04:10 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 00:46 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-30 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-30 09:01 --------- d-----w C:\Program Files\MUSHclient
2007-12-30 01:34 --------- d-----w C:\Documents and Settings\Liz\Application Data\AVG7
2007-12-29 19:10 --------- d-----w C:\Program Files\Lavasoft
2007-12-29 19:10 --------- d-----w C:\Documents and Settings\Liz\Application Data\Lavasoft
2007-12-28 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 21:20 --------- d-----w C:\Program Files\Trillian
2007-12-28 05:26 --------- d-----w C:\Program Files\QuickTime
2007-12-28 05:26 --------- d-----w C:\Program Files\iTunes
2007-12-14 21:17 --------- d-----w C:\Program Files\World of Warcraft
2007-12-06 03:11 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-09-28 04:04 44,000 ----a-w C:\Documents and Settings\Liz\Application Data\GDIPFONTCACHEV1.DAT
2006-01-13 01:54 234,357 ----a-w C:\Program Files\mp.zip
2006-01-12 21:44 639,711 ----a-w C:\Program Files\zsnesw142.zip
2005-12-05 23:28 916,806 ------w C:\Program Files\Dec2005_MDX1_x86.cab
2005-12-05 23:28 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab
2005-12-05 23:28 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab
2005-12-05 23:28 41,888 ------w C:\Program Files\dxdllreg_x86.cab
2005-12-05 23:28 3,673,932 ------w C:\Program Files\Dec2005_MDX1_x86_Archive.cab
2005-12-05 23:28 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab
2005-12-05 23:27 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab
2005-12-05 23:00 976,020 ------w C:\Program Files\BDAXP.cab
2005-12-05 23:00 81,092 ------w C:\Program Files\dxupdate.cab
2005-12-05 23:00 74,448 ------w C:\Program Files\DSETUP.dll
2005-12-05 23:00 703,080 ------w C:\Program Files\BDA.cab
2005-12-05 23:00 484,560 ------w C:\Program Files\DXSETUP.exe
2005-12-05 23:00 2,247,888 ------w C:\Program Files\dsetup32.dll
2005-12-05 23:00 15,493,481 ------w C:\Program Files\DirectX.cab
2005-12-05 23:00 13,265,040 ------w C:\Program Files\dxnt.cab
2005-12-05 23:00 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab
2005-12-05 23:00 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab
2005-12-05 23:00 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab
2005-12-05 23:00 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab
2005-12-05 23:00 1,156,363 ------w C:\Program Files\BDANT.cab
2005-12-05 23:00 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab
2005-12-05 23:00 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab
2005-12-05 23:00 1,065,813 ------w C:\Program Files\Jun2005_d3dx9_26_x86.cab
2005-12-05 23:00 1,014,113 ------w C:\Program Files\Feb2005_d3dx9_24_x86.cab
.

((((((((((((((((((((((((((((( snapshot@2007-12-30_13.52.00.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-21 00:52:38 2,884,992 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-11-21 00:52:40 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-12-30 19:36:51 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\irprops.cpl]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" []
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:54]

C:\Documents and Settings\Liz\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-03-04 17:23:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-05 23:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""


.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 21:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-07-09 22:33:16 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1144393161.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2007-12-31 00:46:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 19:55:31
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 19:56:25
C:\ComboFix2.txt ... 2007-12-30 13:56
.
2007-12-22 08:01:51 --- E O F ---

FindAWF:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 12/30/2007
The current time is: 20:07:21.01


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/16/2005 08:43 AM 274,432 iTunesHelper.exe
1 File(s) 274,432 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 11:24 AM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

12/04/2005 03:38 PM 437,008 itype.exe
1 File(s) 437,008 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/16/2006 10:36 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

07/19/2004 07:50 PM 124,112 VPTray.exe
1 File(s) 124,112 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

03/20/2003 10:13 PM 593,920 Smax4.exe
03/21/2003 12:05 AM 774,144 SMax4PNP.exe
2 File(s) 1,368,064 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

02/29/2004 11:14 AM 66,680 ccApp.exe
1 File(s) 66,680 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

274432 Sep 16 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jun 13 2007 "C:\WINDOWS\Installer\{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}\iTunesIco.exe"
116288 Jun 13 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.2.0.35\iTunesSetupAdmin.exe"
1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
437008 Dec 4 2005 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
437008 Dec 4 2005 "C:\Program Files\Microsoft IntelliType Pro 5.5\IType\Setup\Files\itype.exe"
155648 Jan 16 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
124112 Jul 19 2004 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
593920 Mar 20 2003 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
593920 Mar 20 2003 "C:\Powrspec\Drivers\Audio\SMX\SM_Panel\Sys\SMax4.exe"
774144 Mar 21 2003 "C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
774144 Mar 20 2003 "C:\Powrspec\Drivers\Audio\SMX\SM_PNP\Sys\SMax4PNP.exe"
66680 Feb 29 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"


end of report

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:12 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Ell49.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6814 bytes

ken545
2007-12-31, 04:00
Hello,

Your doing well :bigthumb: It looks like Vundo is gone , we need to clean up this fiasco next.

FYI <-- The files in the programs I am listing below are the ones that have been replaced by infected ones, what we are going to do is restore the original files from backup and then get rid of the bad ones.

Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
"C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
"C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

Ell49
2008-01-01, 00:39
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 12/31/2007
The current time is: 17:35:38.31


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/16/2005 08:43 AM 274,432 iTunesHelper.exe
1 File(s) 274,432 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 11:24 AM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

12/04/2005 03:38 PM 437,008 itype.exe
1 File(s) 437,008 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/16/2006 10:36 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

07/19/2004 07:50 PM 124,112 VPTray.exe
1 File(s) 124,112 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

03/20/2003 10:13 PM 593,920 Smax4.exe
03/21/2003 12:05 AM 774,144 SMax4PNP.exe
2 File(s) 1,368,064 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

02/29/2004 11:14 AM 66,680 ccApp.exe
1 File(s) 66,680 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

274432 Sep 16 2005 "C:\Program Files\iTunes\iTunesHelper.exe"
274432 Sep 16 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jun 13 2007 "C:\WINDOWS\Installer\{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}\iTunesIco.exe"
116288 Jun 13 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.2.0.35\iTunesSetupAdmin.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
437008 Dec 4 2005 "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
437008 Dec 4 2005 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
437008 Dec 4 2005 "C:\Program Files\Microsoft IntelliType Pro 5.5\IType\Setup\Files\itype.exe"
155648 Jan 16 2006 "C:\Program Files\QuickTime\qttask.exe"
155648 Jan 16 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
124112 Jul 19 2004 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
124112 Jul 19 2004 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
593920 Mar 20 2003 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
593920 Mar 20 2003 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
593920 Mar 20 2003 "C:\Powrspec\Drivers\Audio\SMX\SM_Panel\Sys\SMax4.exe"
774144 Mar 21 2003 "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
774144 Mar 21 2003 "C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
774144 Mar 20 2003 "C:\Powrspec\Drivers\Audio\SMX\SM_PNP\Sys\SMax4PNP.exe"
66680 Feb 29 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
66680 Feb 29 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"


end of report

ken545
2008-01-01, 05:53
Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\iTunes\bak
C:\Program Files\Messenger\bak
C:\Program Files\Microsoft IntelliType Pro\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\Symantec AntiVirus\bak
C:\Program Files\Analog Devices\SoundMAX\bak
C:\Program Files\Analog Devices\SoundMAX\bak
C:\Program Files\Common Files\Symantec Shared\bak


* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply

Ell49
2008-01-01, 08:04
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 01/01/2008
The current time is: 0:16:08.60


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"


end of report

ken545
2008-01-01, 15:48
This one did not take, it looks like an older version anyway
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Go to your Add Remove Programs in the Control Panel and uninstall Spybot Search and Destroy.

Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\Spybot - Search & Destroy\bak

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

Ell49
2008-01-03, 21:56
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 01/03/2008
The current time is: 14:54:06.85


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"


end of report

There were two instances of Spybot in the Remove Programs folder--I uninstalled Spybot - Search and Destroy, not Spybot - Search and Destroy 1.4.

ken545
2008-01-04, 01:36
Spybot Search and Destroy 1.4 is an older version and it looks like the one that may be infected. Uninstall both versions if there both present, after your clean, we can download and install the newer version .

After you uninstall them, reboot and then go here and delete the entire folder.
C:\Program Files\Spybot - Search & Destroy


Reboot again and run Option 1 for FindAWF and lets see if its gone.

How are ya doing, did you have a nice holiday??

Hang in, where almost done

Ell49
2008-01-12, 01:06
It's going quite fine, thanks, though I've been a bit busy. :) Here's the report.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 01/11/2008
The current time is: 18:02:28.89


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

ken545
2008-01-12, 02:05
Great, post a new HJT log and let me take a peak

Ell49
2008-01-13, 05:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:41 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\MUSHclient\mushclient.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Liz\My Documents\MP\Meridian\Meridian.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\Ell49.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32

\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32

\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

/RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

/RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

/RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

/RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-

Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan

Agent 6.6) -

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/ac

tivex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan

Agent 6.5) -

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/ac

tivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB -

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec

Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -

C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -

C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -

Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6526 bytes

ken545
2008-01-13, 06:04
Hello,

Can't read your log the way you posted it, when it opens in Notepad, go to Format and uncheck Wordwrap and post a new log please.

Ell49
2008-01-14, 07:23
Sorry about that. Here's the file, sans word wrap.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:35 AM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MUSHclient\mushclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\World of Warcraft\WoW.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Ell49.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6465 bytes

Also, can I go ahead and reinstall Spybot?

ken545
2008-01-14, 12:27
Good Morning,

Your log looks fine. You can go ahead and reinstall Spybot Search and Destroy...BUT, make 100% sure this is gone first.

C:\Program Files\Spybot - Search & Destroy <-- Delete this folder if its still present.

Then empty your Recycle Bin.




Download Spybot Search and Destroy 1.5.1 (http://www.safer-networking.org/en/download/index.html)
If you have the older version 1.4, remove it via the Add-Remove Programs in the Control Panel.


During Installation, just follow all the defaults.
Go to Mode and click on Advanced Mode
Then to Updates Search for Updates
If you get a Bad Checksum Error, just choose a different download location.
Then to Settings/ File Sets and take the checkmark out of Usage Tracks
Then to Tools/ Hosts Files click on Add Spybot S&D Hosts Files.
Then to Tools/ IE Tweeks and put a checkmark in Lock the Hosts Files
Then to Immunize. Up at the top by the GREEN SIGN, click on Immunize.
Then to Search and Destroy/ Check for Problems
Let it scan your system
Then to Fix Problems and fix all it finds.
Reboot your computer.






How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, these are must haves to help keep you secure

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.



Glad we could help

Safe Surfn
Ken