Virtumonde is killing me

[chaba]

Guys could anybody help me with this...
I have a problem with this PC at my work and I am full of lammers coming and telling me that they can format it for a fee!!! I know how to format it but just cant because of the whole bunch of programs and server whose installation I do not have!!!
I tried with spybot and vundofix and nothing works...
I made HijackThis log so you could have insight...
Tnx a lot for any help provided...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:25:49, on 16/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\sysems.exe
C:\WINDOWS\system32\sscc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\WINDOWS\ASUSKBService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system\ehSched.exe
C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
C:\WINDOWS\system32\dllcache\ivchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\urdvxc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscvs.exe
C:\WINDOWS\system32\wspvs.exe
C:\Documents and Settings\nm\Desktop\HijackThis.exe
C:\WINDOWS\System32\HPBPRO.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020307 serial=DR12CUS-2178927-HVQ lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKLM\..\Run: [sixer566] C:\WINDOWS\system32\sscc.exe
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [amsgupdate] C:\WINDOWS\system32\ams.exe
O4 - HKLM\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" *
O4 - HKLM\..\Run: [Windows Server Client Verification Service] "C:\WINDOWS\system32\wscvs.exe" *
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] msvccl.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [Muud] "C:\WINDOWS\System32\CURITY~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Hscmzv] C:\Program Files\S?mantec\?ervices.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKCU\..\Run: [sixer566] C:\WINDOWS\system32\sscc.exe
O4 - HKCU\..\Run: [amsgupdate] C:\WINDOWS\system32\ams.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{86C17F17-51A5-4816-8CF8-2783079DA9E9}: NameServer = 195.222.32.10,195.222.32.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Media Center Scheduler Service (ehSched) - Unknown owner - C:\WINDOWS\system\ehSched.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Server Client Verification Service (wscvs) - Unknown owner - C:\WINDOWS\system32\wscvs.exe
O23 - Service: Windows Server Peer Verification Service (wspvs) - Unknown owner - C:\WINDOWS\system32\wspvs.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\System32\ad.html

--
End of file - 8220 bytes

[Shaba]

Hi chaba

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

[chaba]

Shaba thank you for repleying to my post so soon...
I am aware of the threat and planning to format my disk as soon as possible but I do not have time nor ressources at time being so any help for partial solution of my problem would suit (it has to work just for one or two months) so I am taking any risk if you are willing to help


Regards....

[Shaba]

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[chaba]

Hi,
I am sending new Hijack and SDFix logs:


SDFix: Version 1.98

Run by nm on 17/08/2007 at 16:55

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DomainService
mshexdefx
MSWindows
runtime
wspvs

ImagePath:
C:\WINDOWS\System32\othfgcqv.exe /service
"C:\WINDOWS\system32\dllcache\ivchost.exe"
"C:\WINDOWS\System32\urdvxc.exe" /service
\??\C:\WINDOWS\System32\drivers\runtime.sys
C:\WINDOWS\system32\wspvs.exe

DomainService - Deleted
mshexdefx - Deleted
MSWindows - Deleted
runtime - Deleted
wspvs - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service runtime2 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\SYSTEM32\DLOAD.EXE - Deleted
C:\WINDOWS\SYSTEM32\MSV.EXE - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\ams.exe - Deleted
C:\WINDOWS\system32\crypts.dll - Deleted
C:\WINDOWS\system32\dllcache\ivchost.exe - Deleted
C:\WINDOWS\system32\helperam1.exe - Deleted
C:\WINDOWS\system32\helpersscc.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\sscc.exe - Deleted
C:\WINDOWS\system32\TFTP756 - Deleted
C:\WINDOWS\system32\urdvxc.exe - Deleted
C:\WINDOWS\system32\wspvs.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\wspvs.exe"="C:\\WINDOWS\\system32\\wspvs.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\System32\\Ati2evxx.exe"="C:\\WINDOWS\\System32\\Ati2evxx.exeC:\\WINDOWS\\System32\\Ati2evxx.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\mmdmm.exe"="C:\\WINDOWS\\System32\\mmdmm.exeC:\\WINDOWS\\System32\\mmdmm.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\System32\\svcchosst.exe"="C:\\WINDOWS\\System32\\svcchosst.exeC:\\WINDOWS\\System32\\svcchosst.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system32\\sscc.exe"="C:\\WINDOWS\\system32\\sscc.exeC:\\WINDOWS\\system32\\sscc.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exeC:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system\\ehSched.exe"="C:\\WINDOWS\\system\\ehSched.exe:*:Enabled:Windows Configuration"
"\\??\\C:\\WINDOWS\\system32\\csrss.exe"="\\??\\C:\\WINDOWS\\system32\\csrss.exeC:\\WINDOWS\\system32\\csrss.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Common Files\\Teleca Shared\\Generic.exe"="C:\\Program Files\\Common Files\\Teleca Shared\\Generic.exeC:\\Program Files\\Common Files\\Teleca Shared\\Generic.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exeC:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\Mixer.exe"="C:\\WINDOWS\\Mixer.exeC:\\WINDOWS\\Mixer.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BTNtService.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BTNtService.exeC:\\Program Files\\IVT Corporation\\BlueSoleil\\BTNtService.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\ASUSKBService.exe"="C:\\WINDOWS\\ASUSKBService.exeC:\\WINDOWS\\ASUSKBService.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\urdvxc.exe"="C:\\WINDOWS\\System32\\urdvxc.exeC:\\WINDOWS\\System32\\urdvxc.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exeC:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exeC:\\WINDOWS\\system32\\services.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe"="C:\\Program Files\\LogMeIn\\LogMeInSystray.exeC:\\Program Files\\LogMeIn\\LogMeInSystray.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exeC:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Alcohol Soft\\Alcohol 120\\StarWind\\StarWindService.exe"="C:\\Program Files\\Alcohol Soft\\Alcohol 120\\StarWind\\StarWindService.exeC:\\Program Files\\Alcohol Soft\\Alcohol 120\\StarWind\\StarWindService.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\wscvs.exe"="C:\\WINDOWS\\system32\\wscvs.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exeC:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exeC:\\WINDOWS\\system32\\lsass.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe"="C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exeC:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\System32\\svchost.exeC:\\WINDOWS\\System32\\svchost.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\QuickTime\\QTTask.exe"="C:\\Program Files\\QuickTime\\QTTask.exeC:\\Program Files\\QuickTime\\QTTask.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"="C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exeC:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\HPBPRO.EXE"="C:\\WINDOWS\\System32\\HPBPRO.EXEC:\\WINDOWS\\System32\\HPBPRO.EXE:*:Enabled:Windows Server Peer Verification Service"
"C:\\Program Files\\FileMaker\\FileMaker Server 5.5\\Fmserver.exe"="C:\\Program Files\\FileMaker\\FileMaker Server 5.5\\Fmserver.exeC:\\Program Files\\FileMaker\\FileMaker Server 5.5\\Fmserver.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\fuiarsnh.exe"="C:\\WINDOWS\\System32\\fuiarsnh.exeC:\\WINDOWS\\System32\\fuiarsnh.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\PROGRAM FILES\\FAXTALK COMMUNICATOR\\FAPIEXE.EXE"="C:\\PROGRAM FILES\\FAXTALK COMMUNICATOR\\FAPIEXE.EXEFAPIEXE.EXE:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\system32\\sysems.exe"="C:\\WINDOWS\\system32\\sysems.exeC:\\WINDOWS\\system32\\sysems.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\WINDOWS\\System32\\ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exeC:\\WINDOWS\\System32\\ctfmon.exe:*:Enabled:Windows Server Peer Verification Service"
"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"="C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exeC:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\dllcache\\ivchost.exe"="C:\\WINDOWS\\system32\\dllcache\\ivchost.exeC:\\WINDOWS\\system32\\dllcache\\ivchost.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\system32\\savedump.exe"="C:\\WINDOWS\\system32\\savedump.exeC:\\WINDOWS\\system32\\savedump.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exeC:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exeC:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\wuauclt.exe"="C:\\WINDOWS\\System32\\wuauclt.exeC:\\WINDOWS\\System32\\wuauclt.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\lbwrwled.exe"="C:\\WINDOWS\\System32\\lbw"
"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"="C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exeC:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXEC:\\WINDOWS\\Explorer.EXE:*:Enabled:Windows Server Client Verification Service"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exewinlogon.exe:*:Enabled:Windows Server Client Verification Service"
"C:\\WINDOWS\\System32\\othfgcqv.exe"="C:\\WINDOWS\\System32\\oth"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\nm\Local Settings\Application Data\Microsoft\Messenger\emir_chaba@hotmail.com\Sharing Folders\aidaomerika@hotmail.com\Thumbs.db
C:\Documents and Settings\nm\Local Settings\Application Data\Microsoft\Messenger\emir_chaba@hotmail.com\Sharing Folders\jasminahadzic-gluhic@hotmail.com\Thumbs.db
C:\Documents and Settings\nm\Local Settings\Application Data\Microsoft\Messenger\emir_chaba@hotmail.com\SharingMetadata\mirna.strinic@hotmail.com\DFSR\ConflictDelete\mirna-{0F81E795-DE58-4DF0-935F-07C5B6F1C86A}-v23\Thumbs.db
C:\WINDOWS\system\ehSched.exe
C:\WINDOWS\system32\helpersysems.exe
C:\WINDOWS\system32\sysems.exe
C:\WINDOWS\system32\wscvs.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\LastGood.Tmp\INF\dxbda.inf
C:\WINDOWS\LastGood.Tmp\INF\dxbda.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.inf
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxxp.inf
C:\WINDOWS\LastGood.Tmp\INF\dxxp.PNF
C:\WINDOWS\LastGood.Tmp\INF\hdaudbus.inf
C:\WINDOWS\LastGood.Tmp\INF\hdaudbus.PNF
C:\WINDOWS\LastGood.Tmp\INF\hdaudio.inf
C:\WINDOWS\LastGood.Tmp\INF\hdaudio.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem2.inf
C:\WINDOWS\LastGood.Tmp\INF\oem2.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem3.inf
C:\WINDOWS\LastGood.Tmp\INF\oem3.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\Temp\wsc1.tmp
C:\WINDOWS\Temp\wsc2.tmp
C:\WINDOWS\Temp\wsc3.tmp
C:\WINDOWS\Temp\wsc4.tmp
C:\WINDOWS\Temp\wsc5.tmp
C:\WINDOWS\Temp\wsc6.tmp

Finished


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:24, on 17/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ASUSKBService.exe
C:\WINDOWS\system\ehSched.exe
C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscvs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\sysems.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\Documents and Settings\nm\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020307 serial=DR12CUS-2178927-HVQ lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Windows Server Client Verification Service] "C:\WINDOWS\system32\wscvs.exe" *
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [Muud] "C:\WINDOWS\System32\CURITY~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Hscmzv] C:\Program Files\S?mantec\?ervices.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{86C17F17-51A5-4816-8CF8-2783079DA9E9}: NameServer = 195.222.32.10,195.222.32.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Media Center Scheduler Service (ehSched) - Unknown owner - C:\WINDOWS\system\ehSched.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Server Client Verification Service (wscvs) - Unknown owner - C:\WINDOWS\system32\wscvs.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\System32\ad.html

--
End of file - 7288 bytes


TNX

[Shaba]

Hi

Next step is to install antivirus and firewall.

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo
2) Sunbelt/Kerio
3) Agnitum
4) ZoneAlarm

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

After that:

Create own folder for HijackThis to desktop and move it to that folder

Rename HijackThis.exe to scanner.exe

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

[chaba]

Hi,

I installed recomanded programs (ZoneA and AVG) and found nearly 700 threst...

Posting new Hijack and Combofix log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:28:29, on 17/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\ASUSKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system\ehSched.exe
C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\nm\Desktop\HijackThis\scanner.exe
C:\WINDOWS\System32\HPBPRO.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02A3397F-413B-4DA7-803A-18D957BE20BC} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E5393B7-D4DB-4CD3-8449-9E66E379DDE6} - C:\WINDOWS\System32\fdfienao.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020307 serial=DR12CUS-2178927-HVQ lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Windows Server Client Verification Service] "C:\WINDOWS\system32\wscvs.exe" *
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [Muud] "C:\WINDOWS\System32\CURITY~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Hscmzv] C:\Program Files\S?mantec\?ervices.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{86C17F17-51A5-4816-8CF8-2783079DA9E9}: NameServer = 195.222.32.10,195.222.32.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Media Center Scheduler Service (ehSched) - Unknown owner - C:\WINDOWS\system\ehSched.exe
O23 - Service: FileMaker Server - FileMaker Incorporated - C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Server Client Verification Service (wscvs) - Unknown owner - C:\WINDOWS\system32\wscvs.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\WINDOWS\System32\ad.html

--
End of file - 8343 bytes


ComboFix 07-08-14.4 - "nm" 2007-08-17 19:22:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.308 [GMT 2:00]


((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))


2007-08-17 17:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-17 17:22 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-17 17:22 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-17 17:22 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-17 17:22 34,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-17 17:22 2,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-17 17:22 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-08-17 17:22 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-17 17:22 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-17 16:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-16 12:07 <DIR> d-------- C:\VundoFix Backups
2007-08-09 09:02 31,232 -r-hs---- C:\WINDOWS\system\ehSched.exe
2007-08-07 20:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sony Ericsson
2007-08-07 20:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\FileMaker
2007-08-07 10:17 13,825 --a------ C:\WINDOWS\system32\msninfo.dll
2007-08-04 07:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-04 07:32 142,220 --a------ C:\DOCUME~1\nm\grg.exe
2007-07-24 15:47 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-07-24 15:46 <DIR> d-------- C:\lj1010seriesprintsys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-17 17:43 --------- d-------- C:\DOCUME~1\nm\APPLIC~1\Skype
2007-08-17 17:25 1484 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-17 17:25 1316 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-16 20:19 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-08-16 20:11 --------- d-------- C:\Program Files\QuickTime
2007-08-16 20:09 --------- d-------- C:\Program Files\Joost
2007-08-16 20:07 --------- d-------- C:\DOCUME~1\nm\APPLIC~1\Lavasoft
2007-08-09 09:03 --------- d-------- C:\Program Files\MSN Messenger
2007-07-26 07:47 --------- d-------- C:\Program Files\Winamp
2007-06-23 17:43 --------- d-------- C:\Program Files\MultiCalendarV3
2007-06-23 17:43 --------- d-------- C:\Program Files\Agenda At Once
2007-06-23 11:28 --------- d-------- C:\DOCUME~1\nm\APPLIC~1\Teleca
2007-06-23 11:20 --------- d-------- C:\DOCUME~1\nm\APPLIC~1\Sony Ericsson
2007-03-21 14:45:13 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02A3397F-413B-4DA7-803A-18D957BE20BC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E5393B7-D4DB-4CD3-8449-9E66E379DDE6}]
C:\WINDOWS\System32\fdfienao.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 C:\WINDOWS\system32\HdAShCut.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"C-Media Mixer"="Mixer.exe" [2003-03-20 08:21 C:\WINDOWS\mixer.exe]
"CallControl 4.5"="C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe" [2001-10-02 03:39]
"CorelDRAW Graphics Suite 11b"="E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30]
"sysmss"="C:\WINDOWS\system32\sysems.exe" []
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 19:28]
"Windows Server Client Verification Service"="C:\WINDOWS\system32\wscvs.exe" []
"LogMeIn GUI"="C:\Program Files\LogMeIn\LogMeInSystray.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" []
"msvccc66"="svcchosst.exe" []
"mmsass"="mmdmm.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 18:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:41]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" []
"Muud"="C:\WINDOWS\System32\CURITY~1\services.exe" []
"Hscmzv"="C:\Program Files\S?mantec\?ervices.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-28 14:52]
"sysmss"="C:\WINDOWS\system32\sysems.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"msvccc66"=svcchosst.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows Server Peer Verification Service"="C:\WINDOWS\system32\wspvs.exe" *
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"Windows Server Client Verification Service"="C:\WINDOWS\system32\wscvs.exe" *

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\System32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

R0 a347bus;a347bus;C:\WINDOWS\System32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\System32\Drivers\a347scsi.sys
R2 FileMaker Server;FileMaker Server;"C:\Program Files\FileMaker\FileMaker Server 5.5\Fmserver.exe"
S2 wscvs;Windows Server Client Verification Service;C:\WINDOWS\system32\wscvs.exe
S3 AEAudioService;AEAudio Service;C:\WINDOWS\System32\drivers\AEAudio.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\fetnd5.sys
S3 LMImirr;LMImirr;C:\WINDOWS\System32\DRIVERS\LMImirr.sys
S3 SenFiltService;SenFilt Service;C:\WINDOWS\System32\drivers\Senfilt.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 19:25:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-17 19:25:57
C:\ComboFix-quarantined-files.txt ... 2007-08-17 19:25

--- E O F ---

[Shaba]

Hi

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Documents and Settings\nm\grg.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

[chaba]

Sorry for not answering before...
Anyway posting requested...

Antivirus Version Last Update Result
AhnLab-V3 2007.8.18.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 TR/Crypt.PCMM.Gen
Authentium 4.93.8 2007.08.17 -
Avast 4.7.1029.0 2007.08.20 Win32:Crypt-SU
AVG 7.5.0.484 2007.08.19 -
BitDefender 7.2 2007.08.20 Trojan.Agent.ABJH
CAT-QuickHeal 9.00 2007.08.20 (Suspicious) - DNAScan
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 BackDoor.Mailbot
eSafe 7.0.15.0 2007.08.16 Win32.Spybot
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.19 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.17 -
F-Secure 6.70.13030.0 2007.08.20 -
Ikarus T3.1.1.12 2007.08.20 Trojan.Agent.ABJH
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5100 2007.08.17 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2470 2007.08.19 -
Norman 5.80.02 2007.08.20 -
Panda 9.0.0.4 2007.08.19 Generic Malware
Prevx1 V2 2007.08.20 Generic.Malware
Rising 19.36.60.00 2007.08.19 Packer.Mian007
Sophos 4.20.0 2007.08.12 Mal/Packer
Sunbelt 2.2.907.0 2007.08.18 VIPRE.Suspicious
Symantec 10 2007.08.20 W32.Spybot.Worm
TheHacker 6.1.8.170 2007.08.17 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Crypt.PCMM.Gen

[Shaba]

Hi

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\Documents and Settings\nm\grg.exe

Go to spykiller

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

Reply after that here and we'll continue