PDA

View Full Version : A couple of problems



Axel003
2007-06-04, 22:59
Hey, I got a trojan the other day and I've been attempting to remove it myself for a while. I thought I had successfully done so, but now Spyware Doctore (free version) is going crazy telling me it's blocking malicious action from - rundll32.exe and spybot s&d is going mad telling me that it has blocked registry changes. Any help would be greatly appreciated.

Here is my Hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 3:52:03 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\System32\svchost.exe
C:\windows\System32\alg.exe
C:\windows\TEMP\win8D.tmp.exe
C:\Program Files\Starcraft\StarCraft.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

Axel003
2007-06-05, 01:14
ooh, forgot to mention. Every time I run spybot s&d i keep getting Smitfraud-C.Toolbar888. If someone could help me remove it without the reformatting approach I'd be most appreciative.

Mr_JAk3
2007-06-05, 21:40
Hello axel and welcome to the Forums :)

Please post the Spybot S&D log to here.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Axel003
2007-06-06, 00:51
Thanks for the help.

"Alex" - 2007-06-04 18:41:04 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Alex\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\windows\system32\jkkjk.dll
C:\windows\system32\winrkq32.dll
C:\WINDOWS\system32\kjkkj.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



-- Purity Folders:
C:\Program Files\ASEMBL~1
C:\Program Files\Common Files\ICROSO~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\winupdates
C:\windows\smgr.exe
C:\windows\system32\wapisvit.exe
C:\windows\wr.txt


((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))


2007-06-04 15:37 33,302 --a------ C:\WINDOWS\system32\jkkijkj.dll
2007-06-04 12:13 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-04 12:13 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-04 12:13 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-04 12:13 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-04 12:13 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-04 12:13 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-04 12:13 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\PC Tools
2007-06-04 12:06 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\PCToolsFirewallPlus
2007-06-04 12:04 55,904 --a------ C:\WINDOWS\system32\drivers\pctfw.sys
2007-06-04 12:04 100,448 --a------ C:\WINDOWS\system32\drivers\pctfw1.sys
2007-06-04 12:04 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-06-03 19:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-06-03 18:53 <DIR> d-------- C:\DOCUME~1\Alex\.housecall6.6
2007-06-03 18:47 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Uniblue
2007-06-03 18:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-03 18:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-03 18:41 1,344 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-03 18:26 <DIR> d-------- C:\VundoFix Backups
2007-06-03 16:26 60,928 --a------ C:\WINDOWS\system32\nkyiqg.dll
2007-06-03 16:26 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
2007-06-03 16:26 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-06-01 17:56 967 --a------ C:\WINDOWS\ScUnin.pif
2007-06-01 17:56 68,096 --a------ C:\WINDOWS\ScUnin.exe
2007-06-01 17:56 51,482 --a------ C:\WINDOWS\scunin.dat
2007-06-01 17:37 <DIR> d-------- C:\Program Files\Starcraft
2007-05-30 20:18 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-21 00:35 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-21 00:35 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-05-21 00:35 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-21 00:35 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-05-21 00:35 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-21 00:35 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-21 00:35 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-21 00:34 <DIR> d-------- C:\Program Files\Sony
2007-05-10 03:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 09:56 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\GraphPad Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 22:45:46 384 ----a-w C:\windows\system32\DVCStateBkp-{00000001-00000000-00000002-00001102-00000004-10031102}.dat
2007-06-04 22:45:46 384 ----a-w C:\windows\system32\DVCState-{00000001-00000000-00000002-00001102-00000004-10031102}.dat
2007-06-04 21:16:00 1,984 ----a-w C:\windows\system32\d3d9caps.dat
2007-06-04 15:56:40 -------- d-----w C:\Program Files\WinISO
2007-06-04 15:55:40 -------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-06-04 15:55:25 -------- d-----w C:\Program Files\SmartFTP Client 2.0 Setup Files
2007-06-04 03:56:25 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 03:56:19 -------- d-----w C:\Program Files\ASUS
2007-06-04 03:56:08 -------- d-----w C:\Program Files\Citrix
2007-06-03 22:57:50 -------- d-----w C:\Program Files\Network Associates
2007-05-30 04:40:40 -------- d-----w C:\Program Files\Winamp
2007-04-18 16:12:23 2,854,400 ----a-w C:\windows\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\windows\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\windows\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\windows\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\windows\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\windows\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\windows\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\windows\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\windows\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\windows\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\windows\system32\muweb.dll
2007-04-08 01:48:39 -------- d-----w C:\DOCUME~1\Alex\APPLIC~1\ICAClient
2007-03-17 13:43:01 292,864 ----a-w C:\windows\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\windows\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\windows\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\windows\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\windows\system32\win32k.sys
2007-03-07 23:51:00 129,784 ------w C:\windows\system32\pxafs.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{08C134D3-087C-4139-A98C-3A078358DFDE}=C:\windows\system32\jkkijkj.dll [2007-06-04 15:37]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-04-18 16:36]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 03:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{08C134D3-087C-4139-A98C-3A078358DFDE}"="C:\windows\system32\jkkijkj.dll" [2007-06-04 15:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkijkj]
jkkijkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjk]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\claruxeb.exe]
C:\Documents and Settings\All Users\Application Data\claruxeb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Etbs]
"C:\windows\$NtServicePackUninstall$\regsvr32.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnew]
"C:\Program Files\a?sembly\?xplorer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Mail Services]
express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
"C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
smgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TeoSoft AntiSpyware Pro FREE TEST]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ULNLA]
c:\program files\ULNLA\ULNLA.exe 131

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\FotomatDeviceConnect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ose"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{941d2ec1-1631-11da-96a7-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc5a1f71-2225-11da-88a0-0011112811d9}]
AutoRun\command- I:\autorun.exe


Contents of the 'Scheduled Tasks' folder
2007-05-30 18:13:00 C:\windows\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 18:47:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-04 18:50:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-04 18:50

--- E O F ---

Axel003
2007-06-06, 03:59
Oh good, computer is also randomly restarting. This happens mostly whenever I try to download something. Lately it's been either attempting to update B-Net or download itunes installer

Mr_JAk3
2007-06-06, 21:51
Ok...

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Axel003
2007-06-07, 00:56
Thanks a lot for the help! Just a couple of questions, what kind of changes can I expect? I noticed a lot of my bookmarks were deleted, thats no big deal though. What about saved passwords and such?

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:46:11 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\windows\System32\svchost.exe
C:\windows\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\windows\Explorer.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

SDFix log:


SDFix: Version 1.86

Run by Alex - Wed 06/06/2007 - 17:31:11.01

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\windows\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\windows\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\windows\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Listing Files with Hidden Attributes:

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\ssqpn.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\19fd80404722a6ad3b8dfeb8c06ee71e\BIT87.tmp

Listing User Accounts:

User accounts for \\SCAPEGOAT

Administrator Alex ASPNET
Dave Guest HelpAssistant
SUPPORT_388945a0


Finished

the cleanup check thing that it asked for me to do afterwards:

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 17:49:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Mr_JAk3
2007-06-07, 21:13
Well some settings might be restored to the defaults. This is normal. Passwords might get deleted too when we clean the temporary folders & files...

Create a new folder for HijackThis and move HijackThis.exe into it.

Rename HijackThis.exe to Scanner.exe

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis (scanner.exe) log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Axel003
2007-06-08, 06:42
All done:

VundoFix:


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 11:28:54 PM 6/7/2007

Listing files found while scanning....

C:\windows\system32\ddccy.dll
C:\windows\system32\dgjlm.ini
C:\windows\system32\jkkijkj.dll
C:\windows\system32\jkklk.dll
C:\windows\system32\mljgd.dll
C:\windows\system32\ssqpn.dll

Beginning removal...

Attempting to delete C:\windows\system32\ddccy.dll
C:\windows\system32\ddccy.dll Has been deleted!

Attempting to delete C:\windows\system32\dgjlm.ini
C:\windows\system32\dgjlm.ini Has been deleted!

Attempting to delete C:\windows\system32\jkkijkj.dll
C:\windows\system32\jkkijkj.dll Could not be deleted.

Attempting to delete C:\windows\system32\jkklk.dll
C:\windows\system32\jkklk.dll Has been deleted!

Attempting to delete C:\windows\system32\mljgd.dll
C:\windows\system32\mljgd.dll Could not be deleted.

Attempting to delete C:\windows\system32\ssqpn.dll
C:\windows\system32\ssqpn.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\jkkijkj.dll
C:\windows\system32\jkkijkj.dll Has been deleted!

Attempting to delete C:\windows\system32\mljgd.dll
C:\windows\system32\mljgd.dll Has been deleted!

Performing Repairs to the registry.
Done!


New HiJack (scanner.exe)

Logfile of HijackThis v1.99.1
Scan saved at 11:40:30 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\Alex\Desktop\Blarg\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {F04D3FF5-4877-4A24-9B73-E10C41C91FFD} - C:\windows\system32\mljgd.dll (file missing)
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O20 - Winlogon Notify: jkkjk - C:\windows\
O20 - Winlogon Notify: NavLogon - C:\windows\
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

Mr_JAk3
2007-06-08, 22:53
Ok...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Axel003
2007-06-08, 23:04
Here is the log. How's it looking so far?

"Alex" - 2007-06-08 16:00:10 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Alex\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))


2007-06-07 23:47 967 --a------ C:\WINDOWS\ScUnin.pif
2007-06-07 23:47 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-06-07 23:47 12,876 --a------ C:\WINDOWS\scunin.dat
2007-06-04 18:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-04 12:06 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\PCToolsFirewallPlus
2007-06-04 12:04 55,904 --a------ C:\WINDOWS\system32\drivers\pctfw.sys
2007-06-04 12:04 100,448 --a------ C:\WINDOWS\system32\drivers\pctfw1.sys
2007-06-04 12:04 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-06-03 19:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-06-03 18:53 <DIR> d-------- C:\DOCUME~1\Alex\.housecall6.6
2007-06-03 18:47 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Uniblue
2007-06-03 18:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-03 18:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-03 18:41 1,344 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-03 18:26 <DIR> d-------- C:\VundoFix Backups
2007-06-03 16:26 60,928 --a------ C:\WINDOWS\system32\nkyiqg.dll
2007-06-03 16:26 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\claruxeb.exe
2007-05-30 20:18 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-21 00:35 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-21 00:35 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-05-21 00:35 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-21 00:35 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-05-21 00:35 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-21 00:35 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-21 00:35 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-21 00:34 <DIR> d-------- C:\Program Files\Sony
2007-05-10 03:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 03:37:56 384 ----a-w C:\windows\system32\DVCStateBkp-{00000001-00000000-00000002-00001102-00000004-10031102}.dat
2007-06-08 03:37:56 384 ----a-w C:\windows\system32\DVCState-{00000001-00000000-00000002-00001102-00000004-10031102}.dat
2007-06-05 23:19:46 -------- d-----w C:\Program Files\iTunes
2007-06-05 23:19:21 -------- d-----w C:\Program Files\iPod
2007-06-05 23:16:21 -------- d-----w C:\Program Files\QuickTime
2007-06-05 13:58:25 1,984 ----a-w C:\windows\system32\d3d9caps.dat
2007-06-05 00:14:14 -------- d-sh--w C:\Program Files\ULNLA
2007-06-05 00:14:09 -------- d-----w C:\Program Files\Free Anti-Virus Scan
2007-06-04 15:56:40 -------- d-----w C:\Program Files\WinISO
2007-06-04 15:55:40 -------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-06-04 15:55:25 -------- d-----w C:\Program Files\SmartFTP Client 2.0 Setup Files
2007-06-04 03:56:25 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-04 03:56:19 -------- d-----w C:\Program Files\ASUS
2007-06-04 03:56:08 -------- d-----w C:\Program Files\Citrix
2007-06-03 22:57:50 -------- d-----w C:\Program Files\Network Associates
2007-05-30 04:40:40 -------- d-----w C:\Program Files\Winamp
2007-05-07 13:56:47 -------- d-----w C:\DOCUME~1\Alex\APPLIC~1\GraphPad Software
2007-04-18 16:12:23 2,854,400 ----a-w C:\windows\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\windows\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\windows\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\windows\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\windows\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\windows\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\windows\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\windows\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\windows\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\windows\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\windows\system32\muweb.dll
2007-04-08 01:48:39 -------- d-----w C:\DOCUME~1\Alex\APPLIC~1\ICAClient
2007-03-17 13:43:01 292,864 ----a-w C:\windows\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\windows\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\windows\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\windows\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\windows\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{F04D3FF5-4877-4A24-9B73-E10C41C91FFD}=C:\windows\system32\mljgd.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-06-06 17:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\claruxeb.exe]
C:\Documents and Settings\All Users\Application Data\claruxeb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Etbs]
"C:\windows\$NtServicePackUninstall$\regsvr32.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnew]
"C:\Program Files\a?sembly\?xplorer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Mail Services]
express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
"C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]
smanager.7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
smgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TeoSoft AntiSpyware Pro FREE TEST]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ULNLA]
c:\program files\ULNLA\ULNLA.exe 131

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\FotomatDeviceConnect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ose"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{941d2ec1-1631-11da-96a7-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc5a1f71-2225-11da-88a0-0011112811d9}]
AutoRun\command- I:\autorun.exe


Contents of the 'Scheduled Tasks' folder
2007-06-06 18:13:04 C:\windows\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 16:02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 16:02:31
C:\ComboFix-quarantined-files.txt ... 2007-06-08 16:02

--- E O F ---

Mr_JAk3
2007-06-09, 19:01
Hi again, we'll continue :)

Looks quite good already.

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\windows\$NtServicePackUninstall$\regsvr32.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.


You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe


Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\claruxeb.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnew]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Mail Services]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.


Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {F04D3FF5-4877-4A24-9B73-E10C41C91FFD} - C:\windows\system32\mljgd.dll (file missing)
O20 - Winlogon Notify: jkkjk - C:\windows\


Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\nkyiqg.dll
C:\Documents and Settings\All Users\Application Data\claruxeb.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

Axel003
2007-06-09, 21:55
Gonna separate this into a couple of replies. Here is the VirusTotal results:

Antivirus Version Update Result
AhnLab-V3 2007.6.9.0 06.08.2007 no virus found
AntiVir 7.4.0.32 06.09.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.09.2007 no virus found
AVG 7.5.0.467 06.09.2007 no virus found
BitDefender 7.2 06.09.2007 no virus found
CAT-QuickHeal 9.00 06.09.2007 no virus found
ClamAV devel-20070416 06.09.2007 no virus found
DrWeb 4.33 06.09.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3707 06.09.2007 no virus found
Ewido 4.0 06.09.2007 no virus found
FileAdvisor 1 06.09.2007 No threat detected
Fortinet 2.85.0.0 06.09.2007 no virus found
F-Prot 4.3.2.48 06.08.2007 no virus found
F-Secure 6.70.13030.0 06.08.2007 no virus found
Ikarus T3.1.1.8 06.09.2007 no virus found
Kaspersky 4.0.2.24 06.09.2007 no virus found
McAfee 5049 06.08.2007 no virus found
Microsoft 1.2503 06.09.2007 no virus found
NOD32v2 2320 06.09.2007 no virus found
Norman 5.80.02 06.08.2007 no virus found
Panda 9.0.0.4 06.09.2007 no virus found
Prevx1 V2 06.09.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.09.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 no virus found
VBA32 3.12.0 06.07.2007 no virus found
VirusBuster 4.3.23:9 06.09.2007 no virus found
Webwasher-Gateway 6.0.1 06.09.2007 no virus found

Axel003
2007-06-10, 01:11
Dr. Webb results:

RegUBP2b-Alex.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
XPLORE~1.EXE;C:\QooBox\Quarantine\C\Program Files\ASEMBL~1;Adware.ClickSpring;;
jkkjk.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
Process.exe;C:\sdfix\SDFix\apps;Tool.Prockill;;
A0161527.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP797;Trojan.DownLoader.23807;Deleted.;
A0161751.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP797;Trojan.DownLoader.22968;Deleted.;
A0161783.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP797;Trojan.DownLoader.23031;Deleted.;
A0161789.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP797;Trojan.Virtumod;Deleted.;
A0161790.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP797;Trojan.Virtumod;Deleted.;
A0161791.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP797;Trojan.Virtumod;Deleted.;
A0162525.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP805;Tool.Prockill;;
A0162526.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP805;Tool.ShutDown.11;;
A0166000.reg;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP810;Trojan.StartPage.1505;Deleted.;
A0166032.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP810;Trojan.DownLoader.23031;Deleted.;
A0166033.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP810;Trojan.Mezzia;Deleted.;
A0166129.reg;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP810;Trojan.StartPage.1505;Deleted.;
A0166161.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP811;Probably BACKDOOR.Trojan;;
A0166162.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP811;Probably BACKDOOR.Trojan;;
A0166163.exe;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP811;Trojan.DownLoader.23031;Deleted.;
A0176429.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP815;Trojan.Virtumod;Deleted.;
A0176431.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP815;Trojan.Virtumod;Deleted.;
A0176432.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP815;Trojan.Virtumod;Deleted.;
A0176437.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP815;Trojan.Virtumod;Deleted.;
A0176438.dll;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP815;Trojan.Virtumod;Deleted.;
A0192455.reg;C:\System Volume Information\_restore{614867B3-FA23-4452-B723-39E52C34B936}\RP816;Trojan.StartPage.1505;Deleted.;
cbxwtrr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ddccy.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
gebca.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
jkkijkj.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
jkklk.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mljgd.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ssqpn.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
stopoctr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;


And here is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:10:16 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\System32\svchost.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\AIM\aim.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Alex\Desktop\Blarg\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O20 - Winlogon Notify: NavLogon - C:\windows\
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

Mr_JAk3
2007-06-10, 18:52
OK looking clean now :)

The computer runs fine?

You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)


You can remove the tools we used.

Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 4

Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

Axel003
2007-06-10, 19:43
Yeah the computer is running great, thanks a lot. The only problem is the random restarts (although I'm suspecting not random cause it happens at 7:30am - 9:30am continuously) but I think it's hardware related. Thanks a lot for the help!

Mr_JAk3
2007-06-10, 21:07
Hi :)

Yeah might be hardware related....

Are always doing something specific on that time (7:30am - 9:30am )?. Are you running some specific programs when it happens?

tashi
2007-06-19, 10:09
This topic has been moved to archives to prevent others with similar issues posting to it.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.