Here's the log (virus scan below). Thanks for taking the time.

Brian

...
Logfile of HijackThis v1.99.1
Scan saved at 5:25:18 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\pchealth\aolsoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\digtizer.exe
C:\WINDOWS\repair\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\System32\igfxext.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehungersite.com/cgi-bin/WebObjects/CTDSites
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [FjEvents] c:\Program Files\Fujitsu\Utils\fjevents.exe
O4 - HKLM\..\Run: [FjDspMon] c:\Program Files\Fujitsu\Utils\FjDspMon.exe
O4 - HKLM\..\Run: [Fujitsu Menu] c:\Program Files\Fujitsu\Utils\FjMnuIco.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\qkdekdsq.dll",setvm
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cornintra] C:\DOCUME~1\ADMINI~1\APPLIC~1\ONERDR~1\ListGrid.exe
O4 - Startup: Shortcut to To Do 2007-01.lnk = C:\Documents and Settings\Administrator\My Documents\My Notes\To Do 2007-01.jnt
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167941373430
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167941361082
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Software Service (AOLSoftSVC) - Unknown owner - C:\WINDOWS\pchealth\aolsoftware.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Reboot Protocol - Unknown owner - C:\WINDOWS\repair\svchost.exe

...

I tried three of the virus scan services. Trend Micro froze. Panda wouldn't start. CA finally got it, but didn't provide what I consider to be a log. Below is what I copied from the results page.


VIRUSES FOUND - 2007-04-04

CA SCAN

efccdcy.dll Win32/Chisyne!generic deleted C:\WINDOWS\system32\
efcyxyw.dll Win32/Chisyne!generic cannot delete C:\WINDOWS\system32\
fccdaxy.dll Win32/Chisyne!generic cannot delete C:\WINDOWS\system32\
hggfcbc.dll Win32/Chisyne!generic deleted C:\WINDOWS\system32\
mljghfe.dll Win32/Chisyne!generic deleted C:\WINDOWS\system32\
noecocup.exe Win32/Reastop.A deleted C:\WINDOWS\system32\
pmnkijg.dll Win32/Chisyne!generic deleted C:\WINDOWS\system32\
qomnmmm.dll Win32/Chisyne!generic deleted C:\WINDOWS\system32\
ssqpqnm.dll Win32/Chisyne!generic deleted C:\WINDOWS\system32\
vmaqlcju.exe Win32/Reastop.A deleted C:\WINDOWS\system32\
yayxurs.dll Win32/Chisyne!generic deleted C:\WINDOWS\system32\

I just restarted and the following is now missing:

C:\WINDOWS\system32\qkdekdsq.dll

Thanks again.

Hi Brian and welcome to the forum, sorry to be the bearer of bad news but it is a nasty one: http://www.castlecops.com/o23list-2518.html
and a Backdoor.Win32.SdBot. For you security I need to give you this information:
http://www.sophos.com/virusinfo/analyses/w32sdbotaaq.html
Allows others to access the computer
Modifies data on the computer
Steals information
Drops more malware
Downloads code from the internet
Reduces system security

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

Thanks

Hi pskelley,

Well, that certainly sucks. But it's not all bad news: This is an oft-used, but secondary machine. Not much on it to worry about. Still, I could see a lot of trouble brewing here. Hence, immediately after this message, I'll access the Internet from work. And, yep, I'll do the reinstall.

I'm curious to know if there's anything else you can tell me. Specifically, if there's any indication (or if you have any idea) how this came to be.

Thanks for your time. It's very much appreciated and, who knows, maybe saved me from some heartache. I'm certainly impressed with how much service you all provide.

Peace,

Brian

Hi Brian, as soon as I saw that trojan, my first thoughts were to get the information to you as fast as possible.
Let me say I respect your decision, it is exacly what I would do if this infection was on one of my computers.

I'll give you this link in the event you want to express your thoughts and feeling about the junk being put on peoples computer:
http://www.malwarecomplaints.info/
Let there be no doubt, this trojan is about the $$$ and it is very likely organized crime is involved from somewhere in the world.
This link: http://www.sophos.com/virusinfo/analyses/w32sdbotaaq.html that I posted before will supply you with all the information you need, just take the time to click on each tab, especially "Description".
Please note that there is also most certainly a rootkit involved with this trojan.
Google has more information available if you need it:
http://www.google.com/search?hl=en&q=W32%2FSdbot-AAQ+&btnG=Google+Search

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\qkdekdsq.dll",setvm
This item also is bundled with the trojan, and does not seem to have been identified yet, though I see it a lot.

I doubt it has much to do with this, but you do have an out of date Java program:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

I am not positive, but I believe this item:
O4 - HKCU\..\Run: [Cornintra] C:\DOCUME~1\ADMINI~1\APPLIC~1\ONERDR~1\ListGrid.exe
is a marker for LOP/C2 Media, read about it here:
http://inetexplorer.mvps.org/data/lop.htm

If I can provide more service, please let me know.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

I've reloaded the OS and came to my office to burn every piece of security software I can to a CD to load on before the formerly infected PC gets anywhere near the Internet. I have a couple of questions:

Should I ask my ISP to change my IP address?

Is it it safe to reload files I backed up just before reloading the OS? These are Word and OpenOffice docs, couple videos I bought from iTunes, images and text files.

Thanks,

Brian

Hi Brian, Thanks for your questions, have a look here, most if not all will be answered: http://www.cyberwalker.com/faqs/how-tos/reinstall-faq.html

Should I ask my ISP to change my IP address?Why don't you ask that question of your ISP, they would by far be in the best position to advise you.
Here is some information also: http://www.google.com/search?hl=en&q=reinstalling+files+after+a+reformat&btnG=Search

Thanks

Hi,

I wiped the disk, reinstalled the OS and got everything running with the security programs below running in XP with SP1. When I added SP2, all I got was the desktop. I tried again with the same result. So now I have it back up and running under SP1, and I just don't want to add SP2 again. Part of me suspects the problem might lie in the added goodies Fujitsu wants me to install, but I have no evidence. Any thoughts, suggestions, etc., would be appreciated.

Thanks,

Brian

Spyware Blaster
mvpshosts
Spybot Search & Destroy
SpywareGuard
Zone Alarm
Windows Defender (only the first time with SP2)

You can get help with SP2 from Microsoft Tech Support:

http://support.microsoft.com/

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks