PDA

View Full Version : Win32.Agent.At/Smitfraud



jcollins91964
2007-05-26, 19:03
Please help. We've gotten ahold of either some malware, a virus(es), or both. Have run Symantec anti-virus numerous times and am no longer finding any virsuses. However, running Spybot Search & Destroy uncovered the two programs shown in my subject line. I may have successfully removed Smitfraud, but Win32.Agent.At keeps coming back. I've disconnected my internet connection, though Line 010 of the log file below would indicate that I can't access the internet anyway. Something is eating up the memory on my system, plus it appears that a process is trying to access the internet, about every 10 minutes. Log file is included below. I'm a new user, so if I am not following the correct protocal for this forum, I apologize. Any help that can be provided is greatly appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 10:34:31 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: 0 - {018E9169-449D-4956-8EB8-F299340A5D91} - C:\Program Files\Messenger\rybimo930.dll
O2 - BHO: (no name) - {0474C782-28A2-4D9A-A783-0FFFF5AA7699} - C:\WINDOWS\system32\ljjghge.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ofb11 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\ywyursii.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmpC.tmp.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: PsapiAnalyzer Object - {CB8B69CF-31AF-40D0-A119-5A8435BC1534} - c:\windows\$ntuninstallkb898458$\diskav.dll
O2 - BHO: (no name) - {dc2b971a-e93f-4312-b0f1-77d6cc31fedb} - C:\WINDOWS\system32\hypfmt.dll
O2 - BHO: (no name) - {F5BF26DB-3891-422C-BA51-09D6978A6205} - C:\WINDOWS\system32\sstqo.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://citrix.meadowbrook.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B351343-810B-4D25-88AB-E705F4927679}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB6FCAD-C917-4C39-9EE5-67D3967B859E}: NameServer = 194.54.90.226
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: diskav - c:\windows\$ntuninstallkb898458$\diskav.dll
O20 - Winlogon Notify: hypfmt - C:\WINDOWS\SYSTEM32\hypfmt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ljjghge - C:\WINDOWS\SYSTEM32\ljjghge.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dscuc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-05-27, 13:07
Hello jcollins91964 and welcome to the Forums :)

You're badly infected...

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Windows Defender's realtime protection.
Open Windows Defender
Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Exit the program.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

jcollins91964
2007-05-27, 17:13
Thanks very much for reviewing this. Here is the requested information.

Vundo log:

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:54:40 AM 5/27/2007

Listing files found while scanning....

c:\windows\$ntuninstallkb898458$\diskav.dll
C:\WINDOWS\system32\ddcbxut.dll
C:\WINDOWS\system32\ddcyyyw.dll
C:\WINDOWS\system32\efcccax.dll
C:\WINDOWS\system32\gebcyxx.dll
C:\WINDOWS\system32\ljjghge.dll
C:\WINDOWS\system32\mljhhge.dll
C:\WINDOWS\system32\molfhold.dll
C:\WINDOWS\system32\opnnkii.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\pmnlmli.dll
C:\WINDOWS\system32\qomnool.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\ywyursii.dll

Beginning removal...

Attempting to delete c:\windows\$ntuninstallkb898458$\diskav.dll
c:\windows\$ntuninstallkb898458$\diskav.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcbxut.dll
C:\WINDOWS\system32\ddcbxut.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyyyw.dll
C:\WINDOWS\system32\ddcyyyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcccax.dll
C:\WINDOWS\system32\efcccax.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcyxx.dll
C:\WINDOWS\system32\gebcyxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjghge.dll
C:\WINDOWS\system32\ljjghge.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhhge.dll
C:\WINDOWS\system32\mljhhge.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnnkii.dll
C:\WINDOWS\system32\opnnkii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlmli.dll
C:\WINDOWS\system32\pmnlmli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomnool.dll
C:\WINDOWS\system32\qomnool.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sstqo.dll Has been deleted!

Performing Repairs to the registry.
Done!

**********

HJK log:

Logfile of HijackThis v1.99.1
Scan saved at 9:06:22 AM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: 0 - {018E9169-449D-4956-8EB8-F299340A5D91} - C:\Program Files\Messenger\rybimo930.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ofb11 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5CC960E5-6B53-4B2D-9281-8765EA3D18C0} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmpC.tmp.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: (no name) - {dc2b971a-e93f-4312-b0f1-77d6cc31fedb} - C:\WINDOWS\system32\hypfmt.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://citrix.meadowbrook.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B351343-810B-4D25-88AB-E705F4927679}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB6FCAD-C917-4C39-9EE5-67D3967B859E}: NameServer = 194.54.90.226
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: hypfmt - C:\WINDOWS\SYSTEM32\hypfmt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dscuc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-05-27, 19:31
Hi again we'll continue :)

Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please go here (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\hypfmt.dll

In the comments, please mention that I asked you to upload this file
Click on Send File

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\perfc000.dat
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Please let me know when you have done this and then we'll get you cleaned :bigthumb:

jcollins91964
2007-05-27, 20:14
Here are the results of the VirusTotal scan. The dll file was submitted to uploadmalware.com as instructed. Thanks.

STATUS: FINISHEDComplete scanning result of "perfc000.dat", received in VirusTotal at 05.27.2007, 18:59:55 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 TR/Crypt.XPACK.Gen
Authentium 4.93.8 05.23.2007 W32/Backdoor.AOXB
Avast 4.7.997.0 05.27.2007 no virus found
AVG 7.5.0.467 05.27.2007 BackDoor.Generic6.NYE
BitDefender 7.2 05.27.2007 no virus found
CAT-QuickHeal 9.00 05.26.2007 Backdoor.Small.os
ClamAV devel-20070416 05.27.2007 no virus found
DrWeb 4.33 05.27.2007 Trojan.Proxy.1800
eSafe 7.0.15.0 05.24.2007 Win32.Small.os
eTrust-Vet 30.7.3665 05.26.2007 no virus found
Ewido 4.0 05.27.2007 Backdoor.Small.os
FileAdvisor 1 05.27.2007 High threat detected
Fortinet 2.85.0.0 05.27.2007 W32/Small.OS!tr.bdr
F-Prot 4.3.2.48 05.25.2007 W32/Backdoor.AOXB
F-Secure 6.70.13030.0 05.27.2007 Backdoor.Win32.Small.os
Ikarus T3.1.1.8 05.27.2007 Backdoor.Win32.Small.os
Kaspersky 4.0.2.24 05.27.2007 Backdoor.Win32.Small.os
McAfee 5039 05.25.2007 Generic BackDoor
Microsoft 1.2503 05.27.2007 no virus found
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.27.2007 Trj/Spammer.ZX
Prevx1 V2 05.27.2007 Covert.Sys.Exec
Sophos 4.18.0 05.25.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.27.2007 Trojan.Perfcoo
TheHacker 6.1.6.123 05.25.2007 Backdoor/Small.os
VBA32 3.12.0 05.26.2007 Backdoor.Win32.Small.os
VirusBuster 4.3.23:9 05.27.2007 no virus found
Webwasher-Gateway 6.0.1 05.27.2007 Trojan.Crypt.XPACK.Gen


Aditional Information
File size: 6144 bytes
MD5: 4cf879e7ec03cb098b1ae77027dfd93c
SHA1: 7d97bbd60cf9002e682b0788172ea621c37a90bd
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=4cf879e7ec03cb098b1ae77027dfd93c
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=da6e93063034

Mr_JAk3
2007-05-27, 21:34
Thank you, we'll continue :)

Run VundoFix again.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\hypfmt.dll
C:\WINDOWS\system32\tmfpyh.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

jcollins91964
2007-05-27, 22:10
New VundoFix log:


VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:54:40 AM 5/27/2007

Listing files found while scanning....

c:\windows\$ntuninstallkb898458$\diskav.dll
C:\WINDOWS\system32\ddcbxut.dll
C:\WINDOWS\system32\ddcyyyw.dll
C:\WINDOWS\system32\efcccax.dll
C:\WINDOWS\system32\gebcyxx.dll
C:\WINDOWS\system32\ljjghge.dll
C:\WINDOWS\system32\mljhhge.dll
C:\WINDOWS\system32\molfhold.dll
C:\WINDOWS\system32\opnnkii.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\pmnlmli.dll
C:\WINDOWS\system32\qomnool.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\ywyursii.dll

Beginning removal...

Attempting to delete c:\windows\$ntuninstallkb898458$\diskav.dll
c:\windows\$ntuninstallkb898458$\diskav.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcbxut.dll
C:\WINDOWS\system32\ddcbxut.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyyyw.dll
C:\WINDOWS\system32\ddcyyyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcccax.dll
C:\WINDOWS\system32\efcccax.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcyxx.dll
C:\WINDOWS\system32\gebcyxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjghge.dll
C:\WINDOWS\system32\ljjghge.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhhge.dll
C:\WINDOWS\system32\mljhhge.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnnkii.dll
C:\WINDOWS\system32\opnnkii.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\oqtss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlmli.dll
C:\WINDOWS\system32\pmnlmli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomnool.dll
C:\WINDOWS\system32\qomnool.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sstqo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:53:04 PM 5/27/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete c:\windows\system32\hypfmt.dll
c:\windows\system32\hypfmt.dll Has been deleted!

Performing Repairs to the registry.
Done!

******
New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:05:04 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: 0 - {018E9169-449D-4956-8EB8-F299340A5D91} - C:\Program Files\Messenger\rybimo930.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ofb11 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5CC960E5-6B53-4B2D-9281-8765EA3D18C0} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmpC.tmp.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: (no name) - {dc2b971a-e93f-4312-b0f1-77d6cc31fedb} - C:\WINDOWS\system32\hypfmt.dll (file missing)
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://citrix.meadowbrook.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B351343-810B-4D25-88AB-E705F4927679}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECB6FCAD-C917-4C39-9EE5-67D3967B859E}: NameServer = 194.54.90.226
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dscuc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-05-28, 21:02
Hi again :)

We'll continue...

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\dscuc.exe
Click on Send
Wait for the scan to end.

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\dls0523pmw.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

jcollins91964
2007-05-28, 22:45
I've run into a couple of problems while trying to follow the last set of instructions. No problems with the Fixwareout step. The report.txt and new HJT files are included below. However, I am not able to submit the dscus.exe file to virustotal.com. The infected computed is currently not able to access the internet. Windows won't let me copy this file to a CD so I can submit from another machine. Also, I am unable to locate the dls0523.exe file.

Fixwareout log:

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
C:\Documents and Settings\James\Application Data\Install.dat Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

FINDSTR: Cannot open C:\WINDOWS\System32\dscuc.exe

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"vptray"="C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\vptray.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

**********

Logfile of HijackThis v1.99.1
Scan saved at 2:26:57 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: 0 - {018E9169-449D-4956-8EB8-F299340A5D91} - C:\Program Files\Messenger\rybimo930.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ofb11 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5CC960E5-6B53-4B2D-9281-8765EA3D18C0} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmpC.tmp.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: (no name) - {dc2b971a-e93f-4312-b0f1-77d6cc31fedb} - C:\WINDOWS\system32\hypfmt.dll (file missing)
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://citrix.meadowbrook.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dscuc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe



New HJT log:

Mr_JAk3
2007-05-29, 21:27
hello :)

Ok we'll continue...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jcollins91964
2007-05-30, 01:31
Thank you. Here is the ComboFix log:

"James" - 2007-05-29 17:18:33 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\James\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ynxradxq.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\cfg32a.exe"
"C:\WINDOWS\system32\~.exe"
"C:\WINDOWS\system32\kernels32.exe"
"C:\WINDOWS\system32\tmpC.tmp.dll"
"C:\WINDOWS\system32\perfc000.dat"
"C:\WINDOWS\system32\dnsersnd.dll"
"C:\WINDOWS\sammy3.exe"
"C:\WINDOWS\rau001978.exe"
"C:\WINDOWS\cs_cache.ini"
"C:\WINDOWS\system32\boa.dat"
"C:\WINDOWS\system32\drivers\uzcx.exe"
"C:\WINDOWS\$NtUninstallKB898458$\ntp2.ini"
"C:\WINDOWS\system32\perfc000.dat"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NET_AGENT
-------\Net Agent


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-28 14:23 5,887 --a------ C:\dnsbak.reg
2007-05-27 08:54 <DIR> d-------- C:\VundoFix Backups
2007-05-26 08:52 <DIR> d-------- C:\Program Files\Safer Networking
2007-05-23 20:10 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-23 20:10 <DIR> d-------- C:\WINDOWS\system32\T5QaSQ
2007-05-23 20:10 <DIR> d-------- C:\WINDOWS\system32\T4
2007-05-23 20:10 <DIR> d-------- C:\WINDOWS\system32\T3
2007-05-23 20:10 <DIR> d-------- C:\WINDOWS\system32\pog
2007-05-23 20:10 <DIR> d-------- C:\Temp\0b9
2007-05-23 20:09 106,368 --a------ C:\WINDOWS\rqrpqp.dll
2007-05-23 06:41 37,244 --a------ C:\WINDOWS\5x.exe
2007-05-22 21:14 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-22 21:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-22 21:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-05-22 20:40 0 --a------ C:\WINDOWS\system32\ojilidfg.dll
2007-05-20 18:16 10,326 --a------ C:\WINDOWS\winwr.exe
2007-05-20 16:25 406 --a------ C:\WINDOWS\wintop.exe
2007-05-20 16:22 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Help
2007-05-15 19:02 24,741 --a------ C:\WINDOWS\system32\file.exe
2007-05-15 14:23 409 --a------ C:\WINDOWS\winother.exe
2007-05-11 16:32 <DIR> d-------- C:\Program Files\Common Files\Viewpoint
2007-05-07 15:50 1 --a------ C:\WINDOWS\system32\ps.dat
2007-05-06 16:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MinigolfAdventures
2007-05-06 16:49 <DIR> d-------- C:\Downloads
2007-05-05 13:05 918 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-05-05 12:55 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-05 12:54 <DIR> d-------- C:\Temp
2007-05-05 12:54 <DIR> d-------- C:\Program Files\Ofb11
2007-05-04 06:31 40,448 --a------ C:\WINDOWS\system32\ieplhpl.dll
2007-05-04 06:31 300 --a------ C:\WINDOWS\system32\wincrc32ie.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-24 01:12:12 -------- d-----w C:\Program Files\Messenger
2007-05-24 00:56:30 -------- d-----w C:\Program Files\Viewpoint
2007-05-06 21:52:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 15:26:34 -------- d-----w C:\Program Files\JumpStart
2007-04-28 00:29:06 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 22:52:20 287 -c--a-w C:\WINDOWS\PowerReg.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys
2007-03-06 09:41:30 90,112 ----a-w C:\WINDOWS\KVTE66.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{018E9169-449D-4956-8EB8-F299340A5D91}=C:\Program Files\Messenger\rybimo930.dll [2007-05-23 20:12]
{3E1500AC-87A5-416b-A211-82E848649DA9}=C:\PROGRA~1\Ofb11\Ofb11.dll [2007-05-06 16:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 04:20]
{5CC960E5-6B53-4B2D-9281-8765EA3D18C0}=C:\WINDOWS\system32\sstqo.dll []
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll []
{dc2b971a-e93f-4312-b0f1-77d6cc31fedb}=C:\WINDOWS\system32\hypfmt.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2002-07-30 11:35]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 14:30]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^James^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\James\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
"c:\dell\E-Center\gtb.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iut75]
c:\windows\system32\drivers\uzcx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
rundll32.exe "C:\WINDOWS\rqrpqp.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{82-2D-DC-C5-ZN}]
C:\windows\system32\vdsreg.exe CHD001


Contents of the 'Scheduled Tasks' folder
2007-05-29 22:16:44 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 17:23:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 17:25:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-29 17:25

--- E O F ---

Mr_JAk3
2007-05-30, 21:48
Hello :)

we'll continue :)


Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\5x.exe
Click on Send
Wait for the scan to end.

Scan these too:

C:\WINDOWS\winwr.exe
C:\WINDOWS\wintop.exe
C:\WINDOWS\system32\file.exe
C:\WINDOWS\winother.exe


Copy & Paste the scan results to here.

jcollins91964
2007-05-31, 03:31
Greetings once again. I originally attempted to access VirusTotal from the infected computer as it appeared that I was now able to secure an internet connection. However, after attempting to submit the first file, I received the following error:

IE has encountered a problem with an add-on and needs to close. The following add-on was running when the problem occurred: rybimo930.dll.

I'm not sure if this is relevant information, but I thought that I should mention it.

I then copied all of the referenced files to a CD and submitted them to VirusTotal from another computer. The results are shown below:

Complete scanning result of "5x.exe", received in VirusTotal at 05.31.2007, 01:57:09 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.30.2007 no virus found
AntiVir 7.4.0.29 05.30.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.30.2007 no virus found
AVG 7.5.0.467 05.30.2007 no virus found
BitDefender 7.2 05.31.2007 no virus found
CAT-QuickHeal 9.00 05.30.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.30.2007 Trojan.Packed.49
eSafe 7.0.15.0 05.30.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3678 05.30.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.31.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 suspicious
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 no virus found
Ikarus T3.1.1.8 05.30.2007 Trojan-Downloader.Win32.Zlob.and
Kaspersky 4.0.2.24 05.31.2007 no virus found
McAfee 5042 05.30.2007 New Malware.aj
Microsoft 1.2503 05.31.2007 no virus found
NOD32v2 2299 05.30.2007 no virus found
Norman 5.80.02 05.30.2007 W32/Suspicious_U.gen
Panda 9.0.0.4 05.30.2007 Suspicious file
Prevx1 V2 05.31.2007 Dropper.Payload
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 VIPRE.Suspicious
Symantec 10 05.31.2007 no virus found
TheHacker 6.1.6.126 05.30.2007 no virus found
VBA32 3.12.0 05.30.2007 Trojan.Packed.49
VirusBuster 4.3.23:9 05.30.2007 no virus found
Webwasher-Gateway 6.0.1 05.31.2007 Win32.Malware.gen (suspicious)


Aditional Information
File size: 37244 bytes
MD5: ce9dfb7844520e256d9dd1ed6b126260
SHA1: fc5a3ea5319c5c96cbbdd820e353fbf7ca1e2cb2
packers: UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=409296486412
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

************

Complete scanning result of "winwr.exe", received in VirusTotal at 05.31.2007, 02:01:58 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.30.2007 no virus found
AntiVir 7.4.0.29 05.30.2007 TR/Dldr.Small.eqn
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.30.2007 Win32:Agent-HDR
AVG 7.5.0.467 05.30.2007 Downloader.Generic4.RUW
BitDefender 7.2 05.31.2007 Trojan.Downloader.Small.ZZT
CAT-QuickHeal 9.00 05.30.2007 TrojanDownloader.Small.eqn
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.30.2007 no virus found
eSafe 7.0.15.0 05.30.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3678 05.30.2007 no virus found
Ewido 4.0 05.29.2007 Downloader.Small.eqn
FileAdvisor 1 05.31.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 W32/Small.EQN!tr.dldr
F-Prot 4.3.2.48 05.30.2007 W32/Downloader2.EQF
F-Secure 6.70.13030.0 05.30.2007 Trojan-Downloader.Win32.Small.eqn
Ikarus T3.1.1.8 05.30.2007 Trojan-Downloader.Win32.Small.eqn
Kaspersky 4.0.2.24 05.31.2007 Trojan-Downloader.Win32.Small.eqn
McAfee 5042 05.30.2007 New Malware.ds
Microsoft 1.2503 05.31.2007 no virus found
NOD32v2 2299 05.30.2007 Win32/TrojanDownloader.Small.EQN
Norman 5.80.02 05.30.2007 W32/DLoader.CUXG
Panda 9.0.0.4 05.30.2007 Adware/Maxifiles
Prevx1 V2 05.31.2007 no virus found
Sophos 4.18.0 05.28.2007 Mal/HckPk-D
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 05.31.2007 Trojan Horse
TheHacker 6.1.6.126 05.30.2007 Trojan/Downloader.Small.eqn
VBA32 3.12.0 05.30.2007 Trojan-Downloader.Win32.Small.eqn
VirusBuster 4.3.23:9 05.30.2007 no virus found
Webwasher-Gateway 6.0.1 05.31.2007 Trojan.Dldr.Small.eqn


Aditional Information
File size: 10326 bytes
MD5: 397f9e25b7ff083abe77b9f5e1f19106
SHA1: 83755b8da3a0ced113f9106fce68404a504357ce
packers: UPX
packers: UPX
packers: UPX

**************

Complete scanning result of "wintop.exe", received in VirusTotal at 05.31.2007, 02:08:46 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.30.2007 no virus found
AntiVir 7.4.0.29 05.30.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.30.2007 no virus found
AVG 7.5.0.467 05.30.2007 no virus found
BitDefender 7.2 05.31.2007 no virus found
CAT-QuickHeal 9.00 05.30.2007 no virus found
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.30.2007 no virus found
eSafe 7.0.15.0 05.30.2007 no virus found
eTrust-Vet 30.7.3678 05.30.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.31.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 no virus found
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 no virus found
Ikarus T3.1.1.8 05.30.2007 no virus found
Kaspersky 4.0.2.24 05.31.2007 no virus found
McAfee 5042 05.30.2007 no virus found
Microsoft 1.2503 05.31.2007 no virus found
NOD32v2 2299 05.30.2007 no virus found
Norman 5.80.02 05.30.2007 no virus found
Panda 9.0.0.4 05.30.2007 no virus found
Prevx1 V2 05.31.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 05.31.2007 no virus found
TheHacker 6.1.6.126 05.30.2007 no virus found
VBA32 3.12.0 05.30.2007 no virus found
VirusBuster 4.3.23:9 05.30.2007 no virus found
Webwasher-Gateway 6.0.1 05.31.2007 no virus found


Aditional Information
File size: 406 bytes
MD5: a7fe6b4903a7631a0a2db7eeaed17d9b
SHA1: b377dac2ebf546a1b77b81acb09c9c806d883c81

*******

Complete scanning result of "file.exe", received in VirusTotal at 05.31.2007, 02:14:18 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.30.2007 Win-Trojan/LdPinch.24741.B
AntiVir 7.4.0.29 05.30.2007 TR/PSW.LdPinch.bum.2
Authentium 4.93.8 05.23.2007 Possibly a new variant of W32/new-malware!Maximus
Avast 4.7.997.0 05.30.2007 Win32:Ldpinch-GH
AVG 7.5.0.467 05.30.2007 PSW.Generic4.LMU
BitDefender 7.2 05.31.2007 Trojan.PWS.LdPinch.SZS
CAT-QuickHeal 9.00 05.30.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.30.2007 no virus found
eSafe 7.0.15.0 05.30.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3678 05.30.2007 no virus found
Ewido 4.0 05.29.2007 Trojan.LdPinch.bum
FileAdvisor 1 05.31.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 suspicious
F-Prot 4.3.2.48 05.30.2007 W32/new-malware!Maximus
F-Secure 6.70.13030.0 05.30.2007 Trojan-PSW.Win32.LdPinch.bum
Ikarus T3.1.1.8 05.30.2007 Trojan-Spy.Win32.Agent.DI
Kaspersky 4.0.2.24 05.31.2007 Trojan-PSW.Win32.LdPinch.bum
McAfee 5042 05.30.2007 no virus found
Microsoft 1.2503 05.31.2007 PWS:Win32/Ldpinch!F94A
NOD32v2 2299 05.30.2007 no virus found
Norman 5.80.02 05.30.2007 LdPinch.JVR
Panda 9.0.0.4 05.30.2007 Generic Trojan
Prevx1 V2 05.31.2007 no virus found
Sophos 4.18.0 05.28.2007 Mal/Basine-C
Sunbelt 2.2.907.0 05.30.2007 VIPRE.Suspicious
Symantec 10 05.31.2007 no virus found
TheHacker 6.1.6.126 05.30.2007 no virus found
VBA32 3.12.0 05.30.2007 MalwareScope.Trojan-PSW.Pinch.42
VirusBuster 4.3.23:9 05.30.2007
Webwasher-Gateway 6.0.1 05.31.2007 Trojan.PSW.LdPinch.bum.2


Aditional Information
File size: 24741 bytes
MD5: 4af91fb8e2fd587ab43c5d945f079f6a
SHA1: b9d5783ec0af784f4d078db2074a6b15c5ffbe56
packers: FSG
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

*******

Complete scanning result of "winother.exe", received in VirusTotal at 05.31.2007, 02:21:55 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.30.0 05.30.2007 no virus found
AntiVir 7.4.0.29 05.30.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.30.2007 no virus found
AVG 7.5.0.467 05.30.2007 no virus found
BitDefender 7.2 05.31.2007 no virus found
CAT-QuickHeal 9.00 05.30.2007 no virus found
ClamAV devel-20070416 05.30.2007 no virus found
DrWeb 4.33 05.30.2007 no virus found
eSafe 7.0.15.0 05.30.2007 no virus found
eTrust-Vet 30.7.3678 05.30.2007 no virus found
Ewido 4.0 05.29.2007 no virus found
FileAdvisor 1 05.31.2007 no virus found
Fortinet 2.85.0.0 05.30.2007 no virus found
F-Prot 4.3.2.48 05.30.2007 no virus found
F-Secure 6.70.13030.0 05.30.2007 no virus found
Ikarus T3.1.1.8 05.30.2007 no virus found
Kaspersky 4.0.2.24 05.31.2007 no virus found
McAfee 5042 05.30.2007 no virus found
Microsoft 1.2503 05.31.2007 no virus found
NOD32v2 2299 05.30.2007 no virus found
Norman 5.80.02 05.30.2007 no virus found
Panda 9.0.0.4 05.30.2007 no virus found
Prevx1 V2 05.31.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.30.2007 no virus found
Symantec 10 05.31.2007 no virus found
TheHacker 6.1.6.126 05.30.2007 no virus found
VBA32 3.12.0 05.30.2007 no virus found
VirusBuster 4.3.23:9 05.30.2007 no virus found
Webwasher-Gateway 6.0.1 05.31.2007 no virus found


Aditional Information
File size: 409 bytes
MD5: fbbfd8790875a257c97fe7ea7506ddbe
SHA1: b309ec01580779faa16118bcffc45a6ae11845eb

Mr_JAk3
2007-05-31, 22:03
Hi :)

Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\5x.exe
C:\WINDOWS\winwr.exe
C:\WINDOWS\wintop.exe
C:\WINDOWS\system32\file.exe
C:\WINDOWS\winother.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please go to this forum (http://www.thespykiller.co.uk)
There's no need to register. Just start a new topic in the Uploads section, titled "Files fpr Mr_Jak3".
Add the link of this topic to the message.

Use the Attachment box to upload the cab file from your desktop.

NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them

I'll have a look and then we'll continue :bigthumb:

jcollins91964
2007-06-01, 02:38
I have completed this step as instructed.

Mr_JAk3
2007-06-01, 11:56
Hi again, we'll continue :)

Thank you for the uploads. The files were bad and we'll remove them. Could you please upload these files to the same thread at Spykiller (like the way you did before)? I would really appreciate it.

So you SPF.exe for these and upload to Spykiller forum:
C:\WINDOWS\system32\ieplhpl.dll
C:\WINDOWS\system32\wincrc32ie.dll
C:\WINDOWS\KVTE66.exe
c:\windows\system32\drivers\uzcx.exe

Thank you :bigthumb::bigthumb:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Download Lspfix (http://www.cexx.org/lspfix.zip). Extract(unzip) it to its own folder. Disconnect from the internet, and close all browser windows. Run LSPFix. Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of rlls.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish. Reboot to complete the process.

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

Relevant Knowledge

and any other programs you didn't install or don't recognize - if your not sure please ask first

Disable the bad services
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to AFSEGTGF Windows Service
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Scroll down to Net Agent
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.

Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; AFSEGTGF Windows Service
Answer Yes
Press Delete an NT service again.
Copy the following line to the box and press OK; Net Agent
Answer Yes
Close HIjackThis


Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iut75]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{82-2D-DC-C5-ZN}]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: 0 - {018E9169-449D-4956-8EB8-F299340A5D91} - C:\Program Files\Messenger\rybimo930.dll
O2 - BHO: Ofb11 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {5CC960E5-6B53-4B2D-9281-8765EA3D18C0} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - C:\WINDOWS\system32\comi.dll (file missing)
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmpC.tmp.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: (no name) - {dc2b971a-e93f-4312-b0f1-77d6cc31fedb} - C:\WINDOWS\system32\hypfmt.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:


C:\WINDOWS\rqrpqp.dll
c:\windows\system32\rlls.dll
C:\WINDOWS\system32\tmpC.tmp.dll
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\5x.exe
C:\windows\system32\vdsreg.exe
C:\WINDOWS\system32\ojilidfg.dll
C:\WINDOWS\winwr.exe
C:\WINDOWS\wintop.exe
C:\Program Files\Messenger\rybimo930.dll
C:\WINDOWS\system32\file.exe
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\winother.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\ieplhpl.dll
C:\WINDOWS\system32\wincrc32ie.dll
C:\WINDOWS\KVTE66.exe
c:\windows\system32\drivers\uzcx.exe
C:\WINDOWS\dls0523pmw.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\Program Files\Ofb11
C:\Program Files\Relevant Knowledge

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

jcollins91964
2007-06-02, 03:51
This isn't going well.

I was able to post the new set of files to the spykiller forum.

However, starting with the lspfix activity, my results are not matching with your instructions.

rlls.dll did not exist in the left hand pane of the lspfix application.

No entries by the name of Relevant Knowledge, or anything similar, were found in Add/Remove programs.

The service named AFSEGTGF Windows Service was already stopped. When attempting to change the Startup type to Disabled, the following message was returned: "Unable to open service AFSEGTGF Windows Service for reading on Local Computer. Error 1060: The specified service does not exist as an installed service."

The service name Net Agent does not exist.

I'm hesitant to continue with the subsequent steps without your direction. Thanks.

Mr_JAk3
2007-06-03, 15:10
Hello :)

Sorry for the delay, I wasn't on the reach of my pc yesterday.

It is a good thing that you let me know. You may now continue the instructions starting from the registry backup :bigthumb:

jcollins91964
2007-06-03, 18:24
Thank you. These steps went a little smoother. I should mention that, when AVG was attempting to quartantine a few items, I received a message that the files could not be quartantined as they were embedded in the archive. It asked me if I wanted to quartantine the entire archive. I selected 'Yes', though I wasn't sure if this was the correct response.

AVG report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:10:56 AM 6/3/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\cfg32a.exe.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\{90A52F08-64AC-4DC6-9D7D-4516670275D3} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
C:\Downloads\3DUltraMiniGolf_SE-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Sean\Desktop\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Sean\Desktop\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Sean\Desktop\ucmoreiex.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\VundoFix Backups\ddcbxut.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\opnnkii.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\T3\dlltk67.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\perfc000.dat.vir -> Backdoor.Small.os : Cleaned with backup (quarantined).
C:\VundoFix Backups\hypfmt.dll.bad -> Downloader.ConHook.bf : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\uzcx.exe.vir -> Downloader.Nurech.bh : Cleaned with backup (quarantined).
C:\!KillBox\winwr.exe -> Downloader.Small.eqn : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3902424422-4211580384-3842772725-1006\Dc1.cab/C:\windows\winwr.exe -> Downloader.Small.eqn : Cleaned with backup (quarantined).
C:\Documents and Settings\Sean\Desktop\CmarP1083.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\Documents and Settings\Sean\Desktop\click.exe -> Hijacker.Delf.hj : Cleaned with backup (quarantined).
C:\Documents and Settings\Sean\Desktop\dnsersnd.exe -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\dnsersnd.dll.vir -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\!KillBox\ieplhpl.dll -> Logger.Banker.ckj : Cleaned with backup (quarantined).
C:\Documents and Settings\James\Desktop\requested-files[2007-06-01_19_02].cab/C:\WINDOWS\system32\ieplhpl.dll -> Logger.Banker.ckj : Cleaned with backup (quarantined).
C:\Documents and Settings\Sean\Desktop\install.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\sammy3.exe.vir -> Trojan.Agent : Cleaned with backup (quarantined).
C:\!KillBox\KVTE66.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\Documents and Settings\James\Desktop\requested-files[2007-06-01_19_02].cab/C:\WINDOWS\KVTE66.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\Documents and Settings\Sean\Desktop\zippy2.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070603-090502-795.dll -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\Program Files\Messenger\rybimo.dll -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\!KillBox\file.exe -> Trojan.LdPinch.bum : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3902424422-4211580384-3842772725-1006\Dc1.cab/C:\windows\system32\file.exe -> Trojan.LdPinch.bum : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070603-090502-588.dll -> Trojan.OwlF.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dscuc.exe -> Trojan.Small.mw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dslme.exe -> Trojan.Small.mw : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\kernels32.exe.vir -> Trojan.Tibs.aa : Cleaned with backup (quarantined).
C:\WINDOWS\system32\T5QaSQ\T5QaSQ1083.exe -> Trojan.VB.nhr : Cleaned with backup (quarantined).


::Report end

******

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:13:58 AM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://citrix.meadowbrook.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dscuc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-06-03, 21:57
Hi again, we'll continue :)

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.

You should print these instructions or save these to a text file. Follow these instructions carefully.


==================

Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as: Name the file kill.bat Save as Type: All files Select the desktop icon on the left to save it on the desktop.
Double click on kill.bat and let it run. A window will open and close which is normal.


@echo off
sc stop "AFSEGTGF Windows Service"
sc delete "AFSEGTGF Windows Service"

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\system32\T5QaSQ
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\pog

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Reboot in Normal Mode.

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.


================

When you're ready, please post the following logs to here:
- Kaspersky log
- a fresh HijackThis log

jcollins91964
2007-06-04, 00:27
Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 03, 2007 4:22:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/06/2007
Kaspersky Anti-Virus database records: 336759
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
Z:\

Scan Statistics:
Total number of scanned objects: 56048
Number of viruses found: 11
Number of infected objects: 27 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:43:22

Infected Object Name / Virus Name / Last Action
C:\!KillBox\5x.exe Infected: Trojan-Downloader.Win32.ConHook.bf skipped
C:\!KillBox\rqrpqp.dll Infected: Trojan.Win32.Agent.agv skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12172006-105945.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00000.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00002.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00004.VBN/data0002 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00004.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00004.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00006.VBN Infected: Trojan-Downloader.Win32.Agent.bnn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00008.VBN Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D0000A.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D0000C.VBN Infected: Trojan-Downloader.Win32.Agent.bnn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB00000.VBN Infected: Trojan-Downloader.Win32.VB.att skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB00002.VBN Infected: Trojan-Downloader.Win32.VB.att skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB00004.VBN Infected: Trojan-Spy.Win32.Banker.cnq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB00006.VBN Infected: Trojan-Downloader.Win32.VB.att skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB00008.VBN Infected: Trojan-Downloader.Win32.VB.att skipped
C:\Documents and Settings\James\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\James\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\James\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\James\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ynxradxq.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan-Downloader.Win32.Agent.bnn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\ddcyyyw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\diskav.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\efcccax.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\gebcyxx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ljjghge.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\mljhhge.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\pmnlmli.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\qomnool.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\sstqo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

***************

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:22 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - https://citrix.meadowbrook.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Mr_JAk3
2007-06-04, 22:42
Hello :)

Looks all good. How is the computer running? :bigthumb:

jcollins91964
2007-06-06, 13:19
Thank you so much for your assistance. I am currently away from home on a business trip. Will check the PC when I return on Friday.

jcollins91964
2007-06-09, 19:20
Things appear to be running normally. Thank you.

Mr_JAk3
2007-06-09, 20:43
Hi again, it is looking clean now :)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java, Java 2 Runtime Environment, SE v1.4.2_03

Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)