PDA

View Full Version : Help! Smitfraud, Zlob AND dealio....



Mr.Brick
2007-09-03, 18:21
Went away for a long weekend in a house full of computer illiterate people. Came home to find I have been super infected.

The Nitty Gritty:

Dealio: had a remove option in the add/remove panel and it did the job ok except that when the computer starts a bunch of black dos like windows pop up very fast and then vanish and Im left with little window with the dealio logo. The dealio toolbar pop ups have stopped though. Spybot doesn't seem to even notice this at all. Some googling has pointed out that most consider it to be a low security risk.

Smitfraud: has the usual problems on the board here. Can't get rid of the core elements.

Zlob: I notice that spybot scans them during the startup scan but does nothing about it or lists them as a problem. Yet it seems to linger over them for quite some time...

Here are the requested logs:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 03, 2007 11:14:58 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 3/09/2007
Kaspersky Anti-Virus database records: 402771
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 94998
Number of viruses found: 13
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 01:53:48

Infected Object Name / Virus Name / Last Action
C:\arca.exe Infected: Trojan-Clicker.Win32.Costrat.bg skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robots\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\cert8.db Object is locked skipped
C:\Documents and Settings\Robots\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Robots\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\history.dat Object is locked skipped
C:\Documents and Settings\Robots\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\key3.db Object is locked skipped
C:\Documents and Settings\Robots\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\parent.lock Object is locked skipped
C:\Documents and Settings\Robots\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Robots\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Robots\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Messenger\dj_engine@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Messenger\dj_engine@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Messenger\dj_engine@hotmail.com\SharingMetadata\Working\database_DA28_8E47_288E_229D\dfsr.db Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Messenger\dj_engine@hotmail.com\SharingMetadata\Working\database_DA28_8E47_288E_229D\fsr.log Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Messenger\dj_engine@hotmail.com\SharingMetadata\Working\database_DA28_8E47_288E_229D\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Messenger\dj_engine@hotmail.com\SharingMetadata\Working\database_DA28_8E47_288E_229D\tmp.edb Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Windows Live Contacts\dj_engine@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Microsoft\Windows Live Contacts\dj_engine@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Application Data\Mozilla\Firefox\Profiles\qyc9ef6b.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Temp\~DF41F.tmp Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Temp\~DF90D.tmp Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Temp\~DFE13B.tmp Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Temp\~DFE148.tmp Object is locked skipped
C:\Documents and Settings\Robots\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robots\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robots\ntuser.dat.LOG Object is locked skipped
C:\fmdkyy.exe Infected: Trojan.Win32.Agent.vk skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP157\A0030859.exe Infected: Trojan.Win32.Obfuscated.hf skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP157\A0030872.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP157\A0030873.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP157\A0030874.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP157\A0030875.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP157\A0030877.exe Infected: Email-Worm.Win32.Nulprot.b skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP159\A0031871.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP159\A0031873.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP159\A0032888.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP159\A0032890.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.a skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP161\A0033011.exe/SpywareBot/SpywareBot.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.a skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP161\A0033011.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP161\A0033011.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP161\A0033011.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{8C24B0FF-BF6B-413F-8D10-1D3ED335EDAC}\RP161\change.log Object is locked skipped
C:\WINDOWS\bck2.dat Infected: Email-Worm.Win32.Nulprot.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{80E62660-7D30-4812-BAFE-E0AC18D5BEF3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\poqnyxeh.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xpdx.sys Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_624.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\wsusupd.exe Infected: Trojan.Win32.Agent.vk skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.



HighJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:53 AM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {905DFBEA-0CE5-432A-8FF8-1AFE6A995100} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %SystemRoot%\System32\svchost.exe -k netsvcs
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA3571] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4177] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7492] command /c del "C:\WINDOWS\system32\drivers\core.sys_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2697] cmd /c del "C:\WINDOWS\system32\drivers\core.sys_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Robots\Local Settings\Temp\DealioKit1-stub-0.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: qommkhi - qommkhi.dll (file missing)
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7035 bytes

Mr_JAk3
2007-09-03, 21:41
Hello and welcome to the Forums :)

You're infected...

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Mr.Brick
2007-09-04, 23:39
Hey! Thanks for the welcome.

Unfortunately VundoFix 6.5.8 dosn't find anything to remove.

Im desperately afraid right now. My portable Hard Drive has died on me last month and just before all this went down so did my 3 year old DVD Burner. I have no up to date back ups of my student work and my 3d demo reel is like 99% done.

Mr.Brick
2007-09-05, 00:10
If it matters here are the results:


VundoFix V6.5.8

Checking Java version...

Scan started at 4:31:39 PM 9/4/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


and then Vundofix closed its self.

Mr_JAk3
2007-09-05, 21:06
Hello :)

You really should get backups. You never know what may happen - harddrives are not forever. Don't you have any flashdrives etc to what you could copy the student work?

Cleaning continues...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Mr.Brick
2007-09-05, 23:51
Some success! The dealio install window and command panel don't show up on start up anymore. So far no pop ups. Spybot still detected the other suspects though.

Here is the log:

ComboFix 07-08-30.3 - "Robots" 2007-09-05 16:00:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Robots\APPLIC~1\macromedia\Flash Player\#SharedObjects\WQ9X79MQ\www.broadcaster.com
C:\DOCUME~1\Robots\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Robots\STARTM~1\Programs\Startup\ta_start.lnk
C:\temp\tn3
C:\WINDOWS\system32\avpryjk.dat
C:\WINDOWS\system32\avpryjk.exe
C:\WINDOWS\system32\avpryjk_nav.dat
C:\WINDOWS\system32\avpryjk_navps.dat
C:\WINDOWS\system32\poqnyxeh.exe
C:\WINDOWS\system32\xpdx.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NTMLSVC
-------\core
-------\NtmlSvc
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-05 16:02 <DIR> d-------- C:\Temp\tn3
2007-09-05 15:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 16:31 <DIR> d-------- C:\VundoFix Backups
2007-09-03 11:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 09:18 153 --a------ C:\WINDOWS\system32\delFSF.bat
2007-09-03 00:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-03 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-02 23:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-02 22:31 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-09-02 19:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-02 17:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-02 14:46 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-02 14:46 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-02 14:46 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-02 14:46 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-02 14:46 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-02 14:46 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-02 14:46 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-02 14:46 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-02 14:44 6,717 --ahs---- C:\WINDOWS\system32\qrqss.bak1
2007-09-02 14:31 27,947 --ah----- C:\wsusupd.exe
2007-09-02 14:31 27,947 --a------ C:\fmdkyy.exe
2007-09-02 14:30 72,832 --------- C:\WINDOWS\system32\drivers\core.sys
2007-09-02 14:30 60,928 --a------ C:\arca.exe
2007-09-02 14:30 <DIR> d-------- C:\WINDOWS\Web Download
2007-09-01 16:44 <DIR> d-------- C:\Program Files\MagicISO
2007-09-01 16:32 26,624 --a------ C:\WINDOWS\system32\FileDisk.exe
2007-09-01 16:32 10,588 --a------ C:\WINDOWS\system32\drivers\FileDisk.sys
2007-08-25 16:58 <DIR> d-------- C:\Program Files\Google
2007-08-25 16:58 <DIR> d-------- C:\DOCUME~1\Robots\APPLIC~1\Google
2007-08-22 16:45 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-08-22 16:45 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-08-22 16:45 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2007-08-22 16:45 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-08-22 16:45 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2007-08-22 16:45 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-08-09 17:47 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-07 16:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-07 16:09 <DIR> d-------- C:\Program Files\Bonjour
2007-08-07 16:02 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-03 15:37 --------- d-------- C:\Program Files\uTorrent
2007-09-03 15:37 --------- d-------- C:\DOCUME~1\Robots\APPLIC~1\uTorrent
2007-09-02 14:30 166933 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-05-04 15:17 314 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{905DFBEA-0CE5-432A-8FF8-1AFE6A995100}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-04-14 23:01 C:\WINDOWS\SOUNDMAN.EXE]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 15:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-17 20:29]
"nwiz"="nwiz.exe" [2006-11-17 20:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-11-17 20:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 13:54]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 20:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 15:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\DOCUME~1\Robots\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 23:16:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommkhi]
qommkhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrq]



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d88711-e841-11db-bbf3-806d6172696f}]
AutoRun\command- E:\ASUSACPI.exe


Contents of the 'Scheduled Tasks' folder
2007-08-29 22:41:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 16:05:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 16:06:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-05 16:05

--- E O F ---

Mr_JAk3
2007-09-06, 20:32
Ok we'll continue :)

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\delFSF.bat
C:\WINDOWS\system32\qrqss.bak1
C:\wsusupd.exe
C:\fmdkyy.exe
C:\WINDOWS\system32\drivers\core.sys
C:\arca.exe
C:\WINDOWS\system32\drivers\core.cache.dsk

Folder::
C:\Temp\tn3

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{905DFBEA-0CE5-432A-8FF8-1AFE6A995100}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommkhi]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrq]



Save this as "CFScript"

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Mr.Brick
2007-09-06, 22:32
Didn't ask for a reboot like last time. Here is the ComboFix Log:

ComboFix 07-08-30.3 - "Robots" 2007-09-06 15:18:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.233 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Robots\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\delFSF.bat
C:\WINDOWS\system32\qrqss.bak1
C:\wsusupd.exe
C:\fmdkyy.exe
C:\WINDOWS\system32\drivers\core.sys
C:\arca.exe
C:\WINDOWS\system32\drivers\core.cache.dsk


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\arca.exe
C:\fmdkyy.exe
C:\temp\tn3
C:\WINDOWS\system32\delFSF.bat
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\qrqss.bak1
C:\wsusupd.exe


((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))


2007-09-05 15:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 16:31 <DIR> d-------- C:\VundoFix Backups
2007-09-03 11:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 00:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-03 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-02 23:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-02 22:31 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-09-02 19:13 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-02 17:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-02 14:46 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-02 14:46 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-02 14:46 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-02 14:46 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-02 14:46 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-02 14:46 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-02 14:46 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-02 14:46 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-02 14:30 <DIR> d-------- C:\WINDOWS\Web Download
2007-09-01 16:44 <DIR> d-------- C:\Program Files\MagicISO
2007-09-01 16:32 26,624 --a------ C:\WINDOWS\system32\FileDisk.exe
2007-09-01 16:32 10,588 --a------ C:\WINDOWS\system32\drivers\FileDisk.sys
2007-08-25 16:58 <DIR> d-------- C:\Program Files\Google
2007-08-25 16:58 <DIR> d-------- C:\DOCUME~1\Robots\APPLIC~1\Google
2007-08-22 16:45 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-08-22 16:45 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-08-22 16:45 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2007-08-22 16:45 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-08-22 16:45 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2007-08-22 16:45 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-08-09 17:47 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-07 16:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-07 16:09 <DIR> d-------- C:\Program Files\Bonjour
2007-08-07 16:02 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-03 15:37 --------- d-------- C:\Program Files\uTorrent
2007-09-03 15:37 --------- d-------- C:\DOCUME~1\Robots\APPLIC~1\uTorrent
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-05-04 15:17 314 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((( snapshot_2007-09-05_160540.87 )))))))))))))))))))))))))))))))))))))))))

----a-w 16,384 2007-09-05 22:41:00 C:\WINDOWS\Temp\Cookies\index.dat
----a-w 32,768 2007-09-05 22:41:00 C:\WINDOWS\Temp\History\History.IE5\index.dat
----a-w 32,768 2007-09-05 22:41:00 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-04-14 23:01 C:\WINDOWS\SOUNDMAN.EXE]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 15:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-17 20:29]
"nwiz"="nwiz.exe" [2006-11-17 20:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-11-17 20:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 13:54]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 20:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 18:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 15:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\DOCUME~1\Robots\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 23:16:50]



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d88711-e841-11db-bbf3-806d6172696f}]
AutoRun\command- E:\ASUSACPI.exe


Contents of the 'Scheduled Tasks' folder
2007-09-05 22:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 15:21:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 15:21:31
C:\ComboFix-quarantined-files.txt ... 2007-09-06 15:21
C:\ComboFix2.txt ... 2007-09-05 16:06

--- E O F ---


And here is the highjack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:50 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5854 bytes

Mr_JAk3
2007-09-09, 16:34
Hi and sorry for the delay, I was away...

Looks pretty good now. How is the computer running?

Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols.shtml)

Note: This Scanner is for Internet Explorer Only!
Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log

tashi
2007-09-17, 18:45
How is it going Mr.Brick. :)

tashi
2007-09-22, 01:40
This topic has been moved to archives.

If you need the thread re-opened, please send me a private message (pm) and provide a link.