Here's my HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 6:42:05 PM, on 4/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hppwrsav] C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\system32\uwimynhh.dll",setvm
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINNT\system32\algs.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [SANS Service] C:\WINNT\system32\sansv.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\system32\logon.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINNT\system32\nber.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\system32\spoolsvc.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\system32\lssas.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Device Detector 3.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174493667125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174894509296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Library (LSA Server) - Unknown owner - C:\WINNT\lsasrv.exe (file missing)
O23 - Service: LSA Shell Export-Version - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: MSN Clean Messenger - Unknown owner - C:\WINNT\system32\dllcache\msnmsgr.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe[/PHP]

My Panda Online Scan


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\uwimynhh.dll
Virus:W32/Sdbot.KBD.worm Disinfected Operating system
Spyware:Spyware/Virtumonde Not disinfected C:\WINNT\system32\tuvustu.dll
Virus:Trj/Sfc.A.mod Disinfected Operating system
Dialer:Dialer.EHF Not disinfected C:\a.exe
Dialer:Dialer.HPR Not disinfected C:\bbm.exe
Spyware:Spyware/Vundo Not disinfected C:\VundoFix Backups\qhxasrdv.dll.bad
Spyware:Spyware/Vundo Not disinfected C:\VundoFix Backups\ribpgwxf.dll.bad
Virus:W32/Sdbot.KBD.worm Disinfected C:\WINNT\system32\dllcache\msnmsgr.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\j
Adware:Adware/Aureate-Radiate Not disinfected D:\Old Data\users\ALVIN\download\123search\123search.zip[advert.dl_][advert.dl_]

I've done everything it told me to in "Before you POST" so hopefully i haven't made any mistakes so far.. and the PHP quote thing? i thought it'd be easier to look through, thanks so much!

"Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
It is preferable, and the log easier to read, if you do not use the [code] or [php] options." I mis-read. Sorry.

Here's my HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 6:42:05 PM, on 4/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:Program FilesBelkinBelkin Wireless Network UtilityWLService.exe
C:Program FilesBelkinBelkin Wireless Network UtilityWLanCfgG.exe
C:Program FilesNavNTdefwatch.exe
C:WINNTSystem32svchost.exe
C:PROGRA~1IomegaSystem32AppServices.exe
C:WINNTSystem32llssrv.exe
C:Program FilesNavNTrtvscan.exe
C:WINNTsystem32nvsvc32.exe
C:WINNTsystem32MSTask.exe
C:WINNTsystem32stisvc.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTsystem32svchost.exe
C:WINNTSystem32tcpsvcs.exe
C:WINNTSystem32inetsrvinetinfo.exe
C:WINNTSystem32msdtc.exe
C:WINNTsystem32Dfssvc.exe
C:WINNTExplorer.EXE
C:WINNTsystem32MsgSys.EXE
C:WINNTSystem32svchost.exe
C:Program FilesNavNTvptray.exe
C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
C:WINNTsystem32RUNDLL32.EXE
C:PROGRAM FILESSCANJETPrecisionScanLThppwrsav.exe
C:Program FilesD-LinkAirPlus XtremeGAirPlusCFG.exe
C:Program FilesDAEMON Toolsdaemon.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:WINNTsystem32wuauclt.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:hijackthisHijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTsystem32msdxm.ocx
O4 - HKLM..Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM..Run: [vptray] C:Program FilesNavNTvptray.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINNTsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [ANIWZCS2Service] C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINNTsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [hppwrsav] C:PROGRAM FILESSCANJETPrecisionScanLThppwrsav.exe
O4 - HKLM..Run: [SoundService] rundll32.exe "C:\WINNT\system32\uwimynhh.dll",setvm
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM..Run: [Application Layer Gateway Service] C:WINNTsystem32algs.exe
O4 - HKLM..Run: [D-Link AirPlus XtremeG] C:Program FilesD-LinkAirPlus XtremeGAirPlusCFG.exe
O4 - HKLM..Run: [SANS Service] C:WINNTsystem32sansv.exe
O4 - HKLM..Run: [Windows Logon Application] C:WINNTsystem32logon.exe
O4 - HKLM..Run: [Advanced DHTML Enable] C:WINNTsystem32nber.exe
O4 - HKLM..Run: [Spooler SubSystem App] C:WINNTsystem32spoolsvc.exe
O4 - HKLM..Run: [Local Security Authority Service] C:WINNTsystem32lssas.exe
O4 - HKCU..Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [Iomega Automatic Backup] C:Program FilesIomegaIomega Automatic Backupibackup.exe
O4 - Startup: Adobe Gamma.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:Program FilesCommon FilesAutodesk Sharedacstart17.exe
O4 - Global Startup: Device Detector 3.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINNTwebrelated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINNTwebrelated.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174493667125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174894509296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:Program FilesCommon FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:Program FilesBelkinBelkin Wireless Network UtilityWLService.exe
O23 - Service: DefWatch - Symantec Corporation - C:Program FilesNavNTdefwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:PROGRA~1IomegaSystem32AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Local Security Authority Subsystem Library (LSA Server) - Unknown owner - C:WINNTlsasrv.exe (file missing)
O23 - Service: LSA Shell Export-Version - Unknown owner - C:WINNTlsass.exe (file missing)
O23 - Service: MSN Clean Messenger - Unknown owner - C:WINNTsystem32dllcachemsnmsgr.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:Program FilesNavNTrtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINNTsystem32nvsvc32.exe

My Panda Online Scan

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:WINNTsystem32uwimynhh.dll
Virus:W32/Sdbot.KBD.worm Disinfected Operating system
Spyware:Spyware/Virtumonde Not disinfected C:WINNTsystem32tuvustu.dll
Virus:Trj/Sfc.A.mod Disinfected Operating system
Dialer:Dialer.EHF Not disinfected C:a.exe
Dialer:Dialer.HPR Not disinfected C:bbm.exe
Spyware:Spyware/Vundo Not disinfected C:VundoFix Backupsqhxasrdv.dll.bad
Spyware:Spyware/Vundo Not disinfected C:VundoFix Backupsribpgwxf.dll.bad
Virus:W32/Sdbot.KBD.worm Disinfected C:WINNTsystem32dllcachemsnmsgr.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:WINNTsystem32j
Adware:Adware/Aureate-Radiate Not disinfected D:Old DatausersALVINdownload123search123search.zip[advert.dl_][advert.dl_]

Hi, welcome to Safer Networking Forums!

I'm afraid I have some bad news...

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

!! :sad:

yes, i would still like to clear it first, my pc is an ex server so it won't let me reinstall just a normal copy of windows, or w.e..

thank you for your help~ much appreciated, :red:

what should my first step be :spider:

It is possible that some of the entries are hiding from us, so please rename HijackThis.exe to something like angelfire777.exe

*Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum, vundofix log with a new HijackThis log

thank you for the quick response!:eek:

and im sorry for the long reply lol,

I had followed everything you told me to do, but i looked through the links you sent me, and it did suggest in this case, where the computer used to be for holding client information,

its a very good idea to reformat and just get rid of everything..

so im going to search for an OS, BUT this doesn't mean i did not appreciate your help!

infact i appreciate this very much, so thank you!! i'd be an idiot if i saved a computer with important information only to have it later be infected again..:oops:

I'm sorry if it ended up this way but it was for the best:bigthumb:


Here are some free programs I recommend that could help you improve your pc's security after you reformat.

AntiVirus - Having one AntiVirus is a MUST in your system. If you do not have one, it is very important to get one right now. Here are some free but good AntiVirus:

» Avast! (http://www.asw.cz/eng/avast_4_home.html)
» AVG AntiVirus (http://free.grisoft.com/freeweb.php/doc/2/)
» AntiVir (http://www.free-av.com/)

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http://http//www.sunbelt-software.com/Kerio-Download.cfm)

Adaware
~You can download it from here (http://www.lavasoft.de)
~There is a tutorial on how to use Adaware properly here (http://forums.spywareinfo.com/index.php?showtopic=11150)

Spybot Search and Destroy
~You can download it from here (http://security.kolla.de/index.php?lang=en&page=download) . Just choose a mirror and off you go.
~There is also a tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

Install Spyware Guard
~You can download it from here (http://www.javacoolsoftware.com/spywareguard.html)
~You can read the tutorial on how to use Spyware Guard here (http://www.bleepingcomputer.com/tutorials/tutorial50.html)

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.