PDA

View Full Version : connection is actively downloading and uploading


thecosmoguy
2007-04-25, 06:58
My connection is actively downloading and uploading when I have a connection even if I'm on a blank page it still is active. This isn't normal because I watch for this and it just started a few days ago. I have used the newest versions with all updates of HijackThis and Spybot and clear out (Smitfraud, Nurech.A and SpySheriff) and all looks clear but I have a feeling my connection is being redirected to download this crap again (all without an Explorer window even open). I normally don't have any problem cleaning out viruses, trojans malware with Spybot and HijackThis but this one is not going away.
Does anyone know what's going on here? How can I fix this OR find out where my connection is communicating with ...I think there is some sort of hidden redirect on my computer that is connecting with a site that keeps downloading new bugs. also automatic updates for my Windows turned off. Could I have an unidentified (as of yet) virus?

ALSO: I have a copper wire connection/phone modem that normally connects at many different speeds (19000,26000,36000 43000 etc...) but now is ALWAYS connecting at 24,000 no matter if I switch from anyone of 5 dial up connection phone numbers This is also very weird.

Bottom line is my connection is actively exchanging information with something even when no web page is directed. I think my PC is being controlled by some unfound software. Any help will be greatly appreciated, thanks in advance.

windows xp pro 5.1 build 2600xpsp_sp2
explorer v 6.0 sp2

VundoFix.exe found nothing


Here is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:35:46 AM, on 3/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\RED1\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

Spybot is clean:

Activescan was tested:
(all "Not Disinfected" incidents were manually deleated by me.)
Results:

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix\restart.exe
Adware:adware/ncase Not disinfected C:\WINDOWS\180ax.exe
Virus:Trj/Alanchum.UL Disinfected C:\WINDOWS\system32\adirka.exe
Virus:Trj/Alanchum.UM Disinfected C:\WINDOWS\system32\adirss.exe
Virus:Trj/Alanchum.UA Disinfected C:\WINDOWS\system32\dd.exe
Adware:Adware/SpyAway Not disinfected C:\WINDOWS\system32\eumyuvjp.exe
Virus:Trj/Alanchum.MT Disinfected C:\WINDOWS\system32\google.png.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\gykkewtw.amz
Virus:Trj/Downloader.NRW Disinfected C:\WINDOWS\system32\hqwmqnzk.exe
Virus:Trj/Downloader.NDY Disinfected C:\WINDOWS\system32\hulwpzji.exe
Virus:Trj/Downloader.NDY Disinfected C:\WINDOWS\system32\huyeqzuz.exe
Adware:Adware/SpyAway Not disinfected C:\WINDOWS\system32\idleserv.exe
Adware:Adware/SpySoldier Not disinfected C:\WINDOWS\system32\intr32.dll
Virus:Trj/Alanchum.UL Disinfected C:\WINDOWS\system32\ma.exe.exe
Virus:W32/Nurech.H.worm Disinfected C:\WINDOWS\system32\rsvp32_2.dll
Virus:W32/Nurech.H.worm Disinfected C:\WINDOWS\system32\rsvp32_2.dll435
Virus:W32/Nurech.H.worm Disinfected C:\WINDOWS\system32\rsvp32_2.dll534g
Virus:Trj/Alanchum.UA Disinfected C:\WINDOWS\system32\sc.exe.tmp
Virus:Trj/Alanchum.RX Disinfected C:\WINDOWS\system32\setup.exe.tmp
Virus:Trj/Alanchum.UA Disinfected C:\WINDOWS\system32\sm.exe
Virus:Trj/Alanchum.UM Disinfected C:\WINDOWS\system32\smt.exe
Virus:Trj/Gagar.DM Disinfected C:\WINDOWS\system32\uczkidfe.exe
Virus:Trj/Alanchum.TS Disinfected C:\WINDOWS\system32\vjxghotj.exe
Virus:Trj/Downloader.NDY Disinfected C:\WINDOWS\system32\vwbvhmtj.exe
Adware:Adware/SpyAway Not disinfected C:\WINDOWS\system32\xtlzgnuf.exe
Adware:adware/topconvert Not disinfected C:\WINDOWS\updatetc.exe
Mr_JAk3
2007-05-02, 10:30
Hello thecosmoguy an welcome to the Forums :)

Is that the full HijackThis log? (You haven't fixed or whitelisted anything?)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
:bigthumb:
thecosmoguy
2007-05-02, 17:30
Thank you for the response Mr Jak3!
Your question:"Is that the full HijackThis log? (You haven't fixed or whitelisted anything?)"
I may have fixed everything in belief that this would be an EZ fix and I could get on with life... but this thing is not fixing through the traditional fixes. I try to run fairly lean in my system loading without a lot of junk.
I ran the ComboFix and it may have found a pile of trash... I'll let you make the call, here it is:


ComboFix.txt:
"RED1" - 07-05-02 11:04:36 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\RED1\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\sfxzmtforum.dll
C:\WINDOWS\system32\sfxzmtsmt.dll
C:\WINDOWS\system32\sfxzmtsmtspm.dll
C:\WINDOWS\system32\sfxzmtwbmail.dll
C:\WINDOWS\system32\cent.exe.exe
C:\WINDOWS\system32\pdp.exe.exe
C:\WINDOWS\system32\pep.exe.exe
C:\WINDOWS\system32\pp.exe.exe
C:\WINDOWS\system32\zoom.exe.exe
C:\WINDOWS\system32\zu.exe.exe
C:\DOCUME~1\RED1\Desktop\internet.lnk
C:\WINDOWS\system32\m22.exe
C:\WINDOWS\system32\paars.ini
C:\WINDOWS\pp.exe
C:\WINDOWS\via.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINCOM32


((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))


2007-05-02 00:41 96,256 --a------ C:\WINDOWS\system32\sony.exe
2007-04-30 11:04 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-23 12:53 21,671 --a------ C:\WINDOWS\system32\cent.exe
2007-04-23 12:47 6,996 --a------ C:\WINDOWS\system32\rgrjylav.exe
2007-04-16 09:19 6,934 --a------ C:\WINDOWS\system32\otlrklkl.exe
2007-04-08 22:46 6,798 --a------ C:\WINDOWS\system32\xupqzezr.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-31 12:07 7471 --a------ C:\WINDOWS\system32\sca.exe
2007-03-25 11:19 -------- d-------- C:\Program Files\safer networking
2007-03-16 09:42 8704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-16 09:41 6789 --a------ C:\WINDOWS\system32\eqovzzsp.exe
2007-03-08 15:59 49152 --a------ C:\WINDOWS\system32\msdtc_32.exe
2007-03-08 15:58 6750 --a------ C:\WINDOWS\system32\amvpvqem.exe
2007-02-28 00:50 25344 --a------ C:\WINDOWS\system32\wml.exe
2007-02-28 00:50 23808 --a------ C:\WINDOWS\system32\msixu.dll
2007-02-28 00:50 21760 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-02-28 00:50 19456 --a------ C:\WINDOWS\mspphe.dll
2007-02-28 00:50 18432 --a------ C:\WINDOWS\saiemod.dll
2007-02-28 00:50 15616 --a------ C:\WINDOWS\bjam.dll
2007-02-28 00:24 0 --a------ C:\WINDOWS\system32\cdromdrv32.dll
2007-02-28 00:16 18944 --a------ C:\WINDOWS\salm.exe
2007-02-28 00:16 17664 --a------ C:\WINDOWS\vxddsk.exe
2007-02-28 00:16 14848 --a------ C:\WINDOWS\mssvr.exe
2007-02-28 00:16 12800 --a------ C:\WINDOWS\wml.exe
2007-02-28 00:11 12800 --a------ C:\WINDOWS\system32\user_32.dll
2007-02-21 22:49 1034 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-20 13:43 6706 --a------ C:\WINDOWS\system32\rghyziki.exe
2007-02-13 11:58 4805 --a------ C:\WINDOWS\system32\oqbmxuys.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"SoundMan"="SOUNDMAN.EXE"
"EasyTuneV"="C:\\Program Files\\Gigabyte\\ET5\\GUI.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-02 11:05:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt84c-458e

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\windev-84c-458e.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 12288 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2


********************************************************************

Completion time: 07-05-02 11:05:42
C:\ComboFix-quarantined-files.txt ... 07-05-02 11:05

ComboFix-quarantined-files.txt :


code
05-08-06 21:14 104 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\RED1\Desktop\Internet.lnk.vir
07-03-16 09:42 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\via.exe.vir
07-03-16 09:42 3 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtsmt.dll.vir
07-03-16 09:42 3 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtsmtspm.dll.vir
07-03-16 09:42 3 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxzmtforum.dll.vir
07-03-16 09:42 3 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxzmtsmt.dll.vir
07-03-16 09:42 3 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxzmtsmtspm.dll.vir
07-03-16 09:42 3 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxzmtwbmail.dll.vir
07-03-16 09:42 36485 --a------ C:\Qoobox\Quarantine\C\WINDOWS\pp.exe.vir
07-03-16 09:42 48 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtaim.dll.vir
07-03-16 09:42 48 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtforum.dll.vir
07-03-16 09:42 48 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtgtal.dll.vir
07-03-16 09:42 48 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmticq.dll.vir
07-03-16 09:42 48 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtwbmail.dll.vir
07-03-16 09:42 48 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtymsg.dll.vir
07-03-23 17:11 40703 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pp.exe.exe.vir
07-03-23 17:11 67584 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\m22.exe.vir
07-03-23 17:11 97023 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\zu.exe.exe.vir
07-03-23 17:13 13179 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\paars.ini.vir
07-03-31 12:07 40751 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pep.exe.exe.vir
07-03-31 12:07 97071 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\zoom.exe.exe.vir
07-04-23 12:49 16156 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cent.exe.exe.vir
07-04-23 12:50 40788 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir
07-05-02 11:05 1052 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINCOM32.reg.cf


Folder PATH listing for volume DRV1_VOL1
Volume serial number is A5D6-1C60
C:\QOOBOX
\---Quarantine
+---C
| +---DOCUME~1
| | \---RED1
| | \---Desktop
| | Internet.lnk.vir
| |
| \---WINDOWS
| | pp.exe.vir
| | via.exe.vir
| |
| \---system32
| cent.exe.exe.vir
| m22.exe.vir
| paars.ini.vir
| pdp.exe.exe.vir
| pep.exe.exe.vir
| pfxzmtaim.dll.vir
| pfxzmtforum.dll.vir
| pfxzmtgtal.dll.vir
| pfxzmticq.dll.vir
| pfxzmtsmt.dll.vir
| pfxzmtsmtspm.dll.vir
| pfxzmtwbmail.dll.vir
| pfxzmtymsg.dll.vir
| pp.exe.exe.vir
| sfxzmtforum.dll.vir
| sfxzmtsmt.dll.vir
| sfxzmtsmtspm.dll.vir
| sfxzmtwbmail.dll.vir
| zoom.exe.exe.vir
| zu.exe.exe.vir
|
\---Registry_backups
LEGACY_WINCOM32.reg.cf

[/code]

OK, I'll do nothing more until I hear back from you... thank you again ,
Cosmo
Mr_JAk3
2007-05-02, 20:42
Hello :)

Looks quite bad, you have a rootkit in your system.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

========

If you want to clean it:

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

:bigthumb:
thecosmoguy
2007-05-03, 16:27
I don't like what I see:
windev-84c-458e.sys (*** hidden *** )
I haven't done anything to my system since this scan. I really would like to patch/fix this OS until I have time to do a complete reformat. Thank you for this effort,
Cosmo


GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-03 10:13:58
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\windev-84c-458e.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\windev-84c-458e.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\windev-84c-458e.sys ZwQueryDirectoryFile <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [ECDBD7A0] windev-84c-458e.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [ECDBD7A0] windev-84c-458e.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [ECDBD7A0] windev-84c-458e.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [ECDBD7A0] windev-84c-458e.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [ECDBD7A0] windev-84c-458e.sys

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32\windev-84c-458e.sys (*** hidden *** ) [AUTO] windev-84c-458e <-- ROOTKIT !!!

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-1488-3A14
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-1488-3A14@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-1488-3A14\0000@Service windev-1488-3a14
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-1488-3A14\0000@DeviceDesc windev-1488-3a14
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-1488-3A14@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-84C-458E
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-84C-458E@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-84C-458E\0000@Service windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-84C-458E\0000@DeviceDesc windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-84C-458E\0000\Control@ActiveService windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-84C-458E\0000@Service windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-84C-458E\0000@DeviceDesc windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-84C-458E@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-1488-3A14
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-1488-3A14@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-1488-3A14\0000@Service windev-1488-3a14
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-1488-3A14\0000@DeviceDesc windev-1488-3a14
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-1488-3A14@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-84C-458E
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-84C-458E@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-84C-458E\0000@Service windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-84C-458E\0000@DeviceDesc windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-84C-458E@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1488-3A14
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1488-3A14@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1488-3A14\0000@Service windev-1488-3a14
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1488-3A14\0000@DeviceDesc windev-1488-3a14
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1488-3A14@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-84C-458E
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-84C-458E@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-84C-458E\0000@Service windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-84C-458E\0000@DeviceDesc windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-84C-458E\0000\Control@ActiveService windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-84C-458E\0000@Service windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-84C-458E\0000@DeviceDesc windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-84C-458E@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@Start 2
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@ImagePath \??\C:\WINDOWS\system32\windev-84c-458e.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-84c-458e@DisplayName windev-84c-458e
Reg \Registry\USER\S-1-5-21-823518204-113007714-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603@000 windev-peers.ini

---- Files - GMER 1.0.12 ----

File C:\WINDOWS\system32\windev-84c-458e.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\windev-peers.ini

---- EOF - GMER 1.0.12 ----
Mr_JAk3
2007-05-03, 19:17
Ok good, now we'll get rid of the bug.

Run a new rootkit scan with GMER.

When you see the following service on the list:

Service C:\WINDOWS\system32\windev-84c-458e.sys (*** hidden *** ) [AUTO] windev-84c-458e <-- ROOTKIT !!!

Rigthclick it with your mouse and a menu will open. Choose "Delete the service" from the list.
If GMER asks for a reboot allow it to do it.

Then close GMER and restart your computer.

Then we'll upload a few files for further inspection.

Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\system32\windev-84c-458e.sys
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\sony.exe
C:\WINDOWS\system32\cent.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please go to this forum (http://www.thespykiller.co.uk/forum/index.php?board=1.0)
There's no need to register. Just start a new topic, titled "Files for Mr_Jak3".
Add the link of this topic to the message.

Use the Attachment box to upload the cab file from your desktop.

NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them

Run a new scan with GMER but don't use your computer during the scan.
When the scan has finished please copy/upload the results to me

:bigthumb:
Mr_JAk3
2007-05-04, 21:51
Hello thecosmoguy :)

You only uploaded my instructions. Please try again. Upload the requested-files[Date/Time].cab (on the desktop) file you created with Suspicious file Packer :bigthumb:
thecosmoguy
2007-05-04, 23:25
Hi MrJak3... sorry about the bad upload... I just posted the files at the site for your inspection... thanks
Mr_JAk3
2007-05-05, 19:33
Hello :)

Don't worry, I got the files now. Thanks.

Please restart the computer and post a fresh HijackThis log to here.

Then we'll clean the remainings...
:bigthumb:
thecosmoguy
2007-05-06, 17:05
Here you go MrJak3,
as you know I have used XP's restore option to set the pc to before the infection (I think) so keep that in mind. Thanks,


Logfile of HijackThis v1.99.1
Scan saved at 10:56:52 AM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\RED1\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
Mr_JAk3
2007-05-07, 20:30
Hello and sorry for the long delay...


as you know I have used XP's restore option to set the pc to before the infection (I think) so keep that in mind. Thanks,


OK that may have cause some problems. Please follow my instructions.

We'll continue with a fresh GMER scan. Please do a rootkit scan and post a fresh log to here :bigthumb:
thecosmoguy
2007-05-08, 06:42
Even though the computer is working ok now I still have the backdoor problem (and all it's files) in my computer, right? Shouldn't I get this junk out (if I can)? ... should I just start getting ready for a complete OS reload or can I buy a little time by deleting this stuff away... (I've got a lot of family pics I should start burning backups for)...you tell me.
I bet I'm being a real pain in the a$$ to you, I'm sorry.:sad:
Thank you again,
Cosmo:)
Here is the GMER:
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-08 00:24:18
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- EOF - GMER 1.0.12 ----
Mr_JAk3
2007-05-08, 09:00
Hello :)

Well the GMER log looks quite promising now. Well if you want to reformat you may do so and I can give instructions.

If you want to comtinue:

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
thecosmoguy
2007-05-09, 07:43
Well I've got a lot here... what a mess!:sick:
I'll wait for your overview...
Thank you, Cosmo

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 09, 2007 1:25:57 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/05/2007
Kaspersky Anti-Virus database records: 315668
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 32060
Number of viruses found: 27
Number of infected objects: 126 / 0
Number of suspicious objects: 2
Duration of the scan process: 00:17:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip/POPCORN72.EXE Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\RED1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\RED1\Desktop\requested-files[2007-05-03_21_11].cab/C:/WINDOWS/system32/sony.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\Documents and Settings\RED1\Desktop\requested-files[2007-05-03_21_11].cab/C:/WINDOWS/system32/cent.exe Infected: Packed.Win32.Tibs.v skipped
C:\Documents and Settings\RED1\Desktop\requested-files[2007-05-03_21_11].cab CAB: infected - 2 skipped
C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\RED1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\RED1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\RED1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RED1\Local Settings\History\History.IE5\MSHist012007050820070509\index.dat Object is locked skipped
C:\Documents and Settings\RED1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RED1\ntuser.dat Object is locked skipped
C:\Documents and Settings\RED1\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\pp.exe.vir Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\m22.exe.vir Infected: Backdoor.Win32.Agent.amd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pep.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pp.exe.exe.vir Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zoom.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zu.exe.exe.vir Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP285\A0030351.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP285\A0030371.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP285\A0030376.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP286\A0030389.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP286\A0030419.exe Infected: Email-Worm.Win32.Zhelatin.aj skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP289\A0030512.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP289\A0030513.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP289\A0030514.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030743.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030745.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030746.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030747.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030756.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030842.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030843.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030844.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030845.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030846.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030847.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030848.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030850.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030851.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030852.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030853.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030854.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030891.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030893.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030899.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030900.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030901.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030913.exe Infected: not-virus:Hoax.Win32.Renos.hg skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030915.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030918.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031016.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031017.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031018.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031019.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031020.sys Infected: Rootkit.Win32.Agent.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031021.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033329.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033330.sys Infected: Rootkit.Win32.Agent.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033371.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033372.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033374.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033461.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033462.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033463.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033465.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033466.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033467.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033468.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033469.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033470.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033471.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033472.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033473.exe Infected: Email-Worm.Win32.Zhelatin.bp skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033474.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035570.exe Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035584.exe Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035635.sys Infected: SpamTool.Win32.Agent.af skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035669.exe Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035670.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035671.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035672.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035673.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035675.exe Infected: Backdoor.Win32.Agent.amd skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035677.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035683.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035684.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035685.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035686.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035735.sys Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP328\A0035820.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP328\A0035830.exe Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP328\A0035831.exe Infected: Packed.Win32.Tibs.v skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP328\A0035930.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP330\change.log Object is locked skipped

------------CONTINUED NEXT POST-----------
thecosmoguy
2007-05-09, 07:44
------------------------

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\default.htm Infected: not-virus:Hoax.Win32.Renos.hg skipped
C:\WINDOWS\pp.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\adirka.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\WINDOWS\system32\adirka.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\adirss.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\amvpvqem.exe Infected: Email-Worm.Win32.Zhelatin.bb skipped
C:\WINDOWS\system32\asgp32.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cent.exe.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dd.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\WINDOWS\system32\eqovzzsp.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hqwmqnzk.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\hulwpzji.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\huyeqzuz.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\idleserv.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\WINDOWS\system32\intr32.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\WINDOWS\system32\lnwin.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\WINDOWS\system32\m22.exe Infected: Backdoor.Win32.Agent.amd skipped
C:\WINDOWS\system32\ma.exe.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\oqbmxuys.exe Infected: Email-Worm.Win32.Zhelatin.z skipped
C:\WINDOWS\system32\otlrklkl.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\WINDOWS\system32\pep.exe.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\pp.exe.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\WINDOWS\system32\rghyziki.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\WINDOWS\system32\rsvp32_2.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\WINDOWS\system32\sca.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\sm.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\WINDOWS\system32\smt.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\uczkidfe.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\WINDOWS\system32\vjxghotj.exe Infected: Email-Worm.Win32.Zhelatin.bp skipped
C:\WINDOWS\system32\vwbvhmtj.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\waarwhnl.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wincom32.sys Infected: Rootkit.Win32.Agent.dh skipped
C:\WINDOWS\system32\xtlzgnuf.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\xupqzezr.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\WINDOWS\system32\zoom.exe.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\zu.exe.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
Mr_JAk3
2007-05-09, 20:55
Yes lots of infected files.

I'll need a fresh ComboFix log so that we can nail them all at once.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
thecosmoguy
2007-05-10, 07:11
Thanks again! Here it is MrJAk3:

"RED1" - 2007-05-10 0:54:26 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\RED1\Desktop\smitfraud\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\sfxzmtforum.dll
C:\WINDOWS\system32\sfxzmtsmt.dll
C:\WINDOWS\system32\sfxzmtsmtspm.dll
C:\WINDOWS\system32\sfxzmtwbmail.dll
C:\WINDOWS\system32\cent.exe.exe
C:\WINDOWS\system32\ma.exe.exe
C:\WINDOWS\system32\pep.exe.exe
C:\WINDOWS\system32\pp.exe.exe
C:\WINDOWS\system32\zoom.exe.exe
C:\WINDOWS\system32\zu.exe.exe
C:\WINDOWS\system32\rsvp32_2.dll
C:\DOCUME~1\RED1\Desktop\internet.lnk
C:\WINDOWS\system32\adirka.dll
C:\WINDOWS\system32\adirka.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\dd.exe
C:\WINDOWS\system32\google.png.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\m22.exe
C:\WINDOWS\system32\paars.ini
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\system32\wincom32.sys
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\pp.exe
C:\WINDOWS\via.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINCOM32


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-10 ))))))))))))))))))))))))))))))))))


2007-05-04 00:15 <DIR> d-------- C:\Program Files\DVD Region+CSS Free
2007-05-04 00:15 <DIR> d-------- C:\Program Files\CamelCasino
2007-04-30 11:04 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-16 12:27 3,407,872 --a------ C:\DOCUME~1\RED1\ntuser.dat
2007-04-16 09:19 81,412 --a------ C:\WINDOWS\system32\idleserv.exe
2007-04-16 09:19 6,934 --a------ C:\WINDOWS\system32\otlrklkl.exe
2007-04-16 09:19 10,240 --a------ C:\WINDOWS\system32\xtlzgnuf.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-09 02:46:44 6,798 ----a-w C:\WINDOWS\system32\xupqzezr.exe
2007-03-31 16:07:45 7,471 ----a-w C:\WINDOWS\system32\smt.exe
2007-03-31 16:07:34 7,471 ----a-w C:\WINDOWS\system32\sca.exe
2007-03-31 16:06:13 10,240 ----a-w C:\WINDOWS\system32\hqwmqnzk.exe
2007-03-31 16:06:09 6,959 ----a-w C:\WINDOWS\system32\vjxghotj.exe
2007-03-27 16:23:43 -------- d-----w C:\DOCUME~1\RED1\APPLIC~1\Leadertech
2007-03-25 15:19:17 -------- d-----w C:\Program Files\Safer Networking
2007-03-23 21:10:18 9,216 ----a-w C:\WINDOWS\system32\vwbvhmtj.exe
2007-03-23 21:10:15 6,911 ----a-w C:\WINDOWS\system32\uczkidfe.exe
2007-03-16 13:42:08 8,704 ----a-w C:\WINDOWS\system32\sporder.dll
2007-03-16 13:41:07 9,216 ----a-w C:\WINDOWS\system32\huyeqzuz.exe
2007-03-16 13:41:04 6,789 ----a-w C:\WINDOWS\system32\eqovzzsp.exe
2007-03-08 19:59:11 49,152 ----a-w C:\WINDOWS\system32\msdtc_32.exe
2007-03-08 19:58:41 9,216 ----a-w C:\WINDOWS\system32\hulwpzji.exe
2007-03-08 19:58:34 6,750 ----a-w C:\WINDOWS\system32\amvpvqem.exe
2007-02-28 04:50:43 25,344 ----a-w C:\WINDOWS\system32\wml.exe
2007-02-28 04:50:43 21,760 ----a-w C:\WINDOWS\system32\vxddsk.exe
2007-02-28 04:50:43 19,456 ----a-w C:\WINDOWS\mspphe.dll
2007-02-28 04:50:43 15,616 ----a-w C:\WINDOWS\bjam.dll
2007-02-28 04:50:41 23,808 ----a-w C:\WINDOWS\system32\MSIXU.DLL
2007-02-28 04:50:41 17,664 ----a-w C:\WINDOWS\system32\WER8274.DLL
2007-02-28 04:50:40 18,432 ----a-w C:\WINDOWS\saiemod.dll
2007-02-28 04:47:37 22,528 ----a-w C:\WINDOWS\180ax.exe
2007-02-28 04:47:37 13,056 ----a-w C:\WINDOWS\updatetc.exe
2007-02-28 04:24:42 0 ----a-w C:\WINDOWS\system32\cdromdrv32.dll
2007-02-28 04:16:37 17,664 ----a-w C:\WINDOWS\vxddsk.exe
2007-02-28 04:16:36 14,848 ----a-w C:\WINDOWS\mssvr.exe
2007-02-28 04:16:36 12,800 ----a-w C:\WINDOWS\wml.exe
2007-02-28 04:16:33 18,944 ----a-w C:\WINDOWS\salm.exe
2007-02-28 04:11:47 12,800 ----a-w C:\WINDOWS\system32\user_32.dll
2007-02-22 02:49:29 1,034 ----a-w C:\WINDOWS\system32\tmp.reg
2007-02-20 17:43:54 6,706 ----a-w C:\WINDOWS\system32\rghyziki.exe
2007-02-13 15:58:21 4,805 ----a-w C:\WINDOWS\system32\oqbmxuys.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"SoundMan"="SOUNDMAN.EXE"
"EasyTuneV"="C:\\Program Files\\Gigabyte\\ET5\\GUI.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Nero\\data\\Xtras\\mssysmgr.exe"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-10 00:56:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-10 0:56:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-10 00:56
Mr_JAk3
2007-05-11, 20:49
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

==================

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\idleserv.exe
C:\WINDOWS\system32\otlrklkl.exe
C:\WINDOWS\system32\xtlzgnuf.exe
C:\WINDOWS\system32\xupqzezr.exe
C:\WINDOWS\system32\smt.exe
C:\WINDOWS\system32\sca.exe
C:\WINDOWS\system32\hqwmqnzk.exe
C:\WINDOWS\system32\vjxghotj.exe
C:\WINDOWS\system32\vwbvhmtj.exe
C:\WINDOWS\system32\uczkidfe.exe
C:\WINDOWS\system32\huyeqzuz.exe
C:\WINDOWS\system32\eqovzzsp.exe
C:\WINDOWS\system32\msdtc_32.exe
C:\WINDOWS\system32\hulwpzji.exe
C:\WINDOWS\system32\amvpvqem.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\saiemod.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\system32\cdromdrv32.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\mssvr.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\system32\user_32.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\rghyziki.exe
C:\WINDOWS\system32\oqbmxuys.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
thecosmoguy
2007-05-15, 17:00
Hello Mr_JaK3,
This is what I got (sorry about the delay): AVG Anti-Spyware comes up with a "64 bit edition of windows not supported" message so I can't even do the first step...
I checked around the message boards and this seems to be a common enough problem but no real remedy that I can find, any ideas?
I didn't want to go any further without you guidance.
Thank you, Cosmo
Mr_JAk3
2007-05-15, 20:58
Hello :)

Ok you could try this scanner instead:

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
thecosmoguy
2007-05-17, 16:01
Whew... full of stuff, here you go.... and thanks for even trying on this huge task,
Cosmo:


KASPERSKY ONLINE SCANNER REPORT
Thursday, May 17, 2007 9:54:55 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 17/05/2007
Kaspersky Anti-Virus database records: 322804
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 32533
Number of viruses found: 27
Number of infected objects: 136
Number of suspicious objects: 2
Duration of the scan process: 00:18:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip/POPCORN72.EXE Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\RED1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\RED1\Desktop\requested-files[2007-05-03_21_11].cab/C:/WINDOWS/system32/sony.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\Documents and Settings\RED1\Desktop\requested-files[2007-05-03_21_11].cab/C:/WINDOWS/system32/cent.exe Infected: Packed.Win32.Tibs.v skipped
C:\Documents and Settings\RED1\Desktop\requested-files[2007-05-03_21_11].cab CAB: infected - 2 skipped
C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\RED1\Desktop\smitfraud\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\RED1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\RED1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\RED1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RED1\Local Settings\History\History.IE5\MSHist012007051720070518\index.dat Object is locked skipped
C:\Documents and Settings\RED1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RED1\ntuser.dat Object is locked skipped
C:\Documents and Settings\RED1\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\pp.exe.vir Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\adirka.dll.vir Infected: Email-Worm.Win32.Banwarum.f skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\adirka.exe.vir Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\adirss.exe.vir Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cent.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dd.exe.vir Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lnwin.exe.vir Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\m22.exe.vir Infected: Backdoor.Win32.Agent.amd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ma.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pdp.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pep.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pp.exe.exe.vir Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rsvp32_2.dll.vir Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sm.exe.vir Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wincom32.sys.vir Infected: Rootkit.Win32.Agent.dh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zoom.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\zu.exe.exe.vir Infected: Trojan-Downloader.Win32.Tibs.kc skipped
thecosmoguy
2007-05-17, 16:02
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP285\A0030351.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP285\A0030371.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP285\A0030376.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP286\A0030389.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP286\A0030419.exe Infected: Email-Worm.Win32.Zhelatin.aj skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP289\A0030512.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP289\A0030513.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP289\A0030514.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030743.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030745.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030746.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030747.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP299\A0030756.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030842.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030843.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030844.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030845.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030846.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030847.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030848.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030850.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030851.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030852.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030853.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP302\A0030854.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030891.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030893.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030899.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030900.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030901.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030913.exe Infected: not-virus:Hoax.Win32.Renos.hg skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030915.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP303\A0030918.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031016.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031017.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031018.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031019.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031020.sys Infected: Rootkit.Win32.Agent.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP307\A0031021.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033329.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033330.sys Infected: Rootkit.Win32.Agent.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033371.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033372.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP322\A0033374.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033461.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033462.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033463.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033465.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033466.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033467.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033468.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033469.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033470.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033471.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033472.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033473.exe Infected: Email-Worm.Win32.Zhelatin.bp skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP323\A0033474.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035570.exe Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035584.exe Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035635.sys Infected: SpamTool.Win32.Agent.af skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035669.exe Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035670.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035671.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035672.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035673.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035675.exe Infected: Backdoor.Win32.Agent.amd skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035677.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035683.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035684.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035685.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035686.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP326\A0035735.sys Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP328\A0035820.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP328\A0035830.exe Infected: Email-Worm.Win32.Zhelatin.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP328\A0035831.exe Infected: Packed.Win32.Tibs.v skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP328\A0035930.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036150.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036151.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036152.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036153.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036154.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036155.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036156.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036158.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036159.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036160.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036161.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036163.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036164.exe Infected: Backdoor.Win32.Agent.amd skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036166.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036167.sys Infected: Rootkit.Win32.Agent.dh skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP331\A0036169.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\System Volume Information\_restore{CE6799DB-336C-4CF1-9A2A-44AE2BAF2690}\RP336\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\default.htm Infected: not-virus:Hoax.Win32.Renos.hg skipped
C:\WINDOWS\ModemLog_Lucent Win Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\amvpvqem.exe Infected: Email-Worm.Win32.Zhelatin.bb skipped
C:\WINDOWS\system32\asgp32.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\eqovzzsp.exe Infected: Email-Worm.Win32.Zhelatin.bl skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hqwmqnzk.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\hulwpzji.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\huyeqzuz.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\idleserv.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\WINDOWS\system32\intr32.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\WINDOWS\system32\oqbmxuys.exe Infected: Email-Worm.Win32.Zhelatin.z skipped
C:\WINDOWS\system32\otlrklkl.exe Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\WINDOWS\system32\rghyziki.exe Infected: Email-Worm.Win32.Zhelatin.ai skipped
C:\WINDOWS\system32\sca.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\smt.exe Infected: Email-Worm.Win32.Zhelatin.ce skipped
C:\WINDOWS\system32\uczkidfe.exe Infected: Trojan-Downloader.Win32.Tibs.kc skipped
C:\WINDOWS\system32\vjxghotj.exe Infected: Email-Worm.Win32.Zhelatin.bp skipped
C:\WINDOWS\system32\vwbvhmtj.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\waarwhnl.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xtlzgnuf.exe Infected: Trojan-Downloader.Win32.VB.att skipped
C:\WINDOWS\system32\xupqzezr.exe Infected: Email-Worm.Win32.Zhelatin.cq skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
Mr_JAk3
2007-05-17, 20:22
Ok we'll nail 'em...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINDOWS\default.htm
C:\WINDOWS\system32\amvpvqem.exe
C:\WINDOWS\system32\asgp32.dll
C:\WINDOWS\system32\eqovzzsp.exe
C:\WINDOWS\system32\hqwmqnzk.exe
C:\WINDOWS\system32\hulwpzji.exe
C:\WINDOWS\system32\huyeqzuz.exe
C:\WINDOWS\system32\idleserv.exe
C:\WINDOWS\system32\intr32.dll
C:\WINDOWS\system32\oqbmxuys.exe
C:\WINDOWS\system32\otlrklkl.exe
C:\WINDOWS\system32\rghyziki.exe
C:\WINDOWS\system32\sca.exe
C:\WINDOWS\system32\smt.exe
C:\WINDOWS\system32\uczkidfe.exe
C:\WINDOWS\system32\vjxghotj.exe
C:\WINDOWS\system32\vwbvhmtj.exe
C:\WINDOWS\system32\waarwhnl.exe
C:\WINDOWS\system32\xtlzgnuf.exe
C:\WINDOWS\system32\xupqzezr.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Restart the computer.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
tashi
2007-05-23, 05:44
How is it going thecosmoguy?
tashi
2007-05-29, 06:17
This topic has been archived due to lack of a response. :spider:

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.