Smitfraud-C. & Virtumonde [Archive] - Safer-Networking Forums

View Full Version : Smitfraud-C. & Virtumonde

davep

2007-09-18, 07:52

I cannot remove Smitfraud-C. and Virtumonde. I thought I might be able to fix this on my own; so, after reading several threads, I installed Smitfraudfix. It hangs at the disk clean-up stage. I am not as clever as I thought. I need the help of an expert.

I have completed the steps outlined in the sticky. Below is the HJT log. The second post is the Kaspersky log. Thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:49 PM, on 9/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
H:\WINNT\System32\smss.exe
H:\WINNT\system32\winlogon.exe
H:\WINNT\system32\services.exe
H:\WINNT\system32\lsass.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\spoolsv.exe
H:\Program Files\Avira\AntiVir Server\avguard.exe
H:\WINNT\System32\svchost.exe
H:\Program Files\ewido\security suite\ewidoctrl.exe
H:\WINNT\system32\hidserv.exe
H:\WINNT\System32\llssrv.exe
H:\WINNT\System32\nvsvc32.exe
H:\WINNT\system32\regsvc.exe
H:\WINNT\system32\MSTask.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINNT\system32\stisvc.exe
H:\WINNT\System32\WBEM\WinMgmt.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\Dfssvc.exe
H:\WINNT\System32\msdtc.exe
H:\WINNT\Explorer.EXE
H:\WINNT\System32\svchost.exe
H:\WINNT\TBPanel.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\Program Files\LogMeIn\LogMeInSystray.exe
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe
H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Windows Media Player\mebelucu4.exe
H:\WINNT\mgrs.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\PROGRA~1\COMMON~1\ICROSO~1.NET\spoolsv.exe
H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINNT\system32\wuauclt.exe
H:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = H:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = H:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Gainward] H:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "H:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroCheck] H:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [outlook] H:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [bantool] H:\WINNT\system32\sdadlrow-t2.exe
O4 - HKLM\..\Run: [g4356cbvy63] H:\WINNT\g4356cbvy63
O4 - HKLM\..\Run: [mebelucu] H:\Program Files\Windows Media Player\mebelucu4.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "H:\WINNT\system32\gvdwwaxg.dll",forkonce
O4 - HKLM\..\Run: [xunkjuni] rundll32.exe "H:\Program Files\xunkjuni\dknmtyhm.dll",Init
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ocao] "H:\PROGRA~1\COMMON~1\ICROSO~1.NET\spoolsv.exe" -vt yazb
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: 360Share Pro On Startup.lnk = H:\Program Files\360Share Pro\Gui\360Share Pro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = H:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: ClientManager2.lnk = H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Betus Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - H:\PROGRA~1\BETUSP~1\client.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://H:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://H:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://H:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://H:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: h:\winnt\system32\ldcore.dll
O23 - Service: Avira AntiVir Server (AntiVirService) - AVIRA GmbH - H:\Program Files\Avira\AntiVir Server\avguard.exe
O23 - Service: Avira Internet Update Manager (AVUpdateManager) - AVIRA GmbH - H:\Program Files\Avira\Internet Update Manager\Updmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - H:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - H:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7957 bytes

davep

2007-09-18, 07:56

Here's the Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 17, 2007 9:56:55 PM
Operating System: Microsoft Windows 2000 Advanced Server, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 18/09/2007
Kaspersky Anti-Virus database records: 420078
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
D:\
E:\
H:\

Scan Statistics:
Total number of scanned objects: 144272
Number of viruses found: 38
Number of infected objects: 108
Number of suspicious objects: 8
Duration of the scan process: 01:48:46

Infected Object Name / Virus Name / Last Action
H:\Documents and Settings\Administrator\Application Data\ClientManager2\profiles.bin Object is locked skipped
H:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
H:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0GOBWM9C\lo1[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0GOBWM9C\Outerinfo-1440[1].exe Infected: Backdoor.Win32.Ciadoor.gn skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0GOBWM9C\_affvm[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.op skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0VQFQ6KW\in[1].php Infected: Exploit.VBS.Phel.do skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0YZUY7J3\3[1].exe Infected: Trojan-Downloader.Win32.VB.bbq skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0YZUY7J3\antzom[1].exe Infected: Trojan.Win32.Dialer.qn skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2YDPBJFS\_affvm[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.op skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMSCY6IU\TTC-5555[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMSCY6IU\TTC-5555[1].exe NSIS: infected - 1 skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CMSCY6IU\xc23[1].exe Infected: Trojan-Downloader.Win32.Alphabet.p skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FVD0ARYF\xc60[1].exe Infected: Trojan.Win32.Dialer.qn skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JZC3POVN\anti4[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JZC3POVN\lkjh[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JZC3POVN\wr-1-361[1].exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5MMSM2J\s2f[1].exe Infected: Trojan-Downloader.Win32.Alphabet.z skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5MMSM2J\sdadlrow-t2[1].exe Infected: Trojan-Clicker.Win32.VB.lv skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5MMSM2J\valera[1] Infected: Trojan.Win32.Agent.bck skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5MMSM2J\x5s34[2].exe Infected: Trojan.Win32.Agent.qt skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MFG4HXJI\stats[1].htm Infected: Trojan-Downloader.VBS.Agent.n skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MFG4HXJI\user10[1].exe Infected: Trojan-Downloader.Win32.Small.fgr skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NTOGO7BJ\TISKY008[1].exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NTOGO7BJ\ucleaner_setup[1].exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QO1LZZBF\is67718[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QO1LZZBF\tk68[1].exe Infected: Trojan.Win32.BHO.ab skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VC9HN8SO\Setup155[1].exe/data0002 Infected: Trojan.Win32.VB.bfw skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VC9HN8SO\Setup155[1].exe/data0005 Infected: Trojan.Win32.VB.bfv skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VC9HN8SO\Setup155[1].exe/data0006 Infected: Trojan.Win32.VB.bfw skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VC9HN8SO\Setup155[1].exe NSIS: infected - 3 skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X5HL2675\install[1].exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
H:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip/win1B.tmp.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip ZIP: suspicious - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde31.zip/winF4E.tmp.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde31.zip ZIP: suspicious - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/win968.tmp.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip ZIP: suspicious - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: suspicious - 1 skipped
H:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\098JC143\install[1].exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2L4D8Z0L\xc23[1].exe Infected: Trojan-Downloader.Win32.Alphabet.p skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1SRQNGZ\anti4[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.lk skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1SRQNGZ\xc60[1].exe Infected: Trojan.Win32.Dialer.qn skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\G54TM1IF\is67718[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\G54TM1IF\tk68[1].exe Infected: Trojan.Win32.BHO.ab skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\G54TM1IF\TTC-5555[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\G54TM1IF\TTC-5555[1].exe NSIS: infected - 1 skipped
H:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Program Files\Accessories\meso5555.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
H:\Program Files\Common Files\Yazzle1162OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
H:\Program Files\Common Files\Μicrosoft.NET\spoolsv.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
H:\Program Files\hlpsrv.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
H:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
H:\Program Files\LogMeIn\update\2-30-517.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
H:\Program Files\Microsoft Script Debugger\meso5555.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
H:\Program Files\ucleaner_setup.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped
H:\Program Files\Windows Media Player\mebelucu4.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
H:\WINNT\Debug\ipsecpa.log Object is locked skipped
H:\WINNT\Debug\oakley.log Object is locked skipped
H:\WINNT\Debug\PASSWD.LOG Object is locked skipped
H:\WINNT\mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
H:\WINNT\SchedLgU.Txt Object is locked skipped
H:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINNT\Sti_Trace.log Object is locked skipped
H:\WINNT\system32\3.exe Infected: Trojan-Downloader.Win32.VB.bbq skipped
H:\WINNT\system32\acyefbiv.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\cbxuvvw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
H:\WINNT\system32\config\default Object is locked skipped
H:\WINNT\system32\config\default.LOG Object is locked skipped
H:\WINNT\system32\config\SAM Object is locked skipped
H:\WINNT\system32\config\SAM.LOG Object is locked skipped
H:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
H:\WINNT\system32\config\SECURITY Object is locked skipped
H:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
H:\WINNT\system32\config\software Object is locked skipped
H:\WINNT\system32\config\software.LOG Object is locked skipped
H:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
H:\WINNT\system32\config\system Object is locked skipped
H:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
H:\WINNT\system32\drvgaj.dll Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\system32\drvtej.dll Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\system32\drvwux.dll Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\system32\DTCLog\MSDTC.LOG Object is locked skipped
H:\WINNT\system32\eamebsgk.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\fixpawkf.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\fpbtqpak.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\hggeeeb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\WINNT\system32\ldcore.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
H:\WINNT\system32\lkrxhiij.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\lnxujcrr.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\mgdnxekf.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\mlvffnvq.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\onidradj.exe Infected: Trojan.Win32.Agent.bck skipped
H:\WINNT\system32\Perflib_Perfdata_398.dat Object is locked skipped
H:\WINNT\system32\Perflib_Perfdata_8f4.dat Object is locked skipped
H:\WINNT\system32\s2f.exe Infected: Trojan-Downloader.Win32.Alphabet.z skipped
H:\WINNT\system32\Setup155.exe/data0002 Infected: Trojan.Win32.VB.bfw skipped
H:\WINNT\system32\Setup155.exe/data0005 Infected: Trojan.Win32.VB.bfv skipped
H:\WINNT\system32\Setup155.exe/data0006 Infected: Trojan.Win32.VB.bfw skipped
H:\WINNT\system32\Setup155.exe NSIS: infected - 3 skipped
H:\WINNT\system32\ssqnlmn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\WINNT\system32\user10.exe Infected: Trojan-Downloader.Win32.Small.fgr skipped
H:\WINNT\system32\waverevenue.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
H:\WINNT\system32\winohw32.dll Infected: Trojan.Win32.Agent.qt skipped
H:\WINNT\system32\wmvds32.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
H:\WINNT\system32\wvusqno.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\WINNT\system32\xlkahfgg.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\xmcrxokn.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\system32\yayayyv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\WINNT\system32\ykswklpn.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\WINNT\Temp\1664.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\3232.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\32sys.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\64power.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\agentwin.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\gos28DD.tmp Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\Temp\gos9C9.tmp Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\Temp\gosF57.tmp Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\Temp\hostlook.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\hostmon.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\mst14.tmp Infected: Trojan.Win32.Agent.qt skipped
H:\WINNT\Temp\powerhost.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\powersv.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\serverserver.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\synhost.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\Temp\win1F.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.lk skipped
H:\WINNT\Temp\win28C1.tmp Object is locked skipped
H:\WINNT\Temp\win28C2.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\Temp\win28C8.tmp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
H:\WINNT\Temp\win28E5.tmp.exe Infected: Trojan-Downloader.Win32.Zlob.cqo skipped
H:\WINNT\Temp\win28EA.tmp.exe Infected: Trojan-Downloader.Win32.VB.bjr skipped
H:\WINNT\Temp\win96C.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\Temp\win9C0.tmp.exe Infected: Trojan-Downloader.Win32.Alphabet.p skipped
H:\WINNT\Temp\winsyn.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\WINNT\uninst1014.exe Infected: Trojan.Win32.VB.bfw skipped
H:\WINNT\uni_eh44.exe Infected: Trojan.Win32.VB.bfv skipped
H:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Angelfire777

2007-09-18, 16:26

Hi, welcome to Safer Networking!

Is your Avira up to date? I can't believe it's allowing this mess...

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for ISP login, email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

After you have done that,

*Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

*Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed (http://www.outerinfo.com/howto.html)

Reboot when done.
_____

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt
_____

Download combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)

1. Save it to your desktop.
2. Make sure you save and close ALL open windows and programs that you are running in the taskbar as combofix will attempt to end all non-windows processes for a faster and more successful cleaning.

Click start > run > copy and paste:

"%userprofile%\desktop\combofix.exe" /killall

3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
_______

HJT Uninstall list
Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.

On your next reply, please include a
Fresh HijackThis log.
HJT Uninstall list
Combofix log.
SDFix log

davep

2007-09-19, 03:17

Thanks AngelFire777,

I'm not even certain my Avira is functional. I downloaded post infection.

I did not find any of the listed programs for uninstall.

I got an error message during the SDFix routine after the Restoring Window Registry Value and Restoring Default Hosts File: "Cannot import apps\FIXCU.reg: Error accessing the registry." It continued and finished after clicking OK.

Also, combofix would not run from Start < run < copy and paste:

*"%userprofile%\desktop\combofix.exe" /killall*

So, I just ran the program from the desktop icon.

With all that said, the logs you requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:01 PM, on 9/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
H:\WINNT\System32\smss.exe
H:\WINNT\system32\winlogon.exe
H:\WINNT\system32\services.exe
H:\WINNT\system32\lsass.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\spoolsv.exe
H:\Program Files\Avira\AntiVir Server\avguard.exe
H:\WINNT\System32\svchost.exe
H:\Program Files\ewido\security suite\ewidoctrl.exe
H:\WINNT\system32\hidserv.exe
H:\WINNT\System32\llssrv.exe
H:\WINNT\System32\nvsvc32.exe
H:\WINNT\system32\regsvc.exe
H:\WINNT\system32\MSTask.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINNT\system32\stisvc.exe
H:\WINNT\System32\svchost.exe
H:\WINNT\System32\WBEM\WinMgmt.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\System32\msdtc.exe
H:\WINNT\system32\Dfssvc.exe
H:\WINNT\Explorer.EXE
H:\WINNT\TBPanel.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\Program Files\LogMeIn\LogMeInSystray.exe
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe
H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Windows Media Player\mebelucu4.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = H:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = H:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {753F1E77-0039-476C-A2D6-71714D323F00} - H:\Program Files\Accessories\meso455101.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9A52751B-BD89-A11E-D8DC-E0ABDE7153B6} - H:\WINNT\system32\xamnm.dll (file missing)
O2 - BHO: (no name) - {9E210118-BD8F-A12A-D8DC-E0ABDE7153B6} - H:\WINNT\system32\xamnm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Gainward] H:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "H:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroCheck] H:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mebelucu] H:\Program Files\Windows Media Player\mebelucu4.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ocao] "H:\PROGRA~1\COMMON~1\ICROSO~1.NET\spoolsv.exe" -vt yazb
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: 360Share Pro On Startup.lnk = H:\Program Files\360Share Pro\Gui\360Share Pro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = H:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: ClientManager2.lnk = H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Betus Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - H:\PROGRA~1\BETUSP~1\client.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://H:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://H:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://H:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://H:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O23 - Service: Avira AntiVir Server (AntiVirService) - AVIRA GmbH - H:\Program Files\Avira\AntiVir Server\avguard.exe
O23 - Service: Avira Internet Update Manager (AVUpdateManager) - AVIRA GmbH - H:\Program Files\Avira\Internet Update Manager\Updmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - H:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - H:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8046 bytes

HJT Uninstall list:

Ad-Aware SE Personal
Adobe Photoshop 7.0
Adobe Reader 7.0.9
AGS CD-ROM Version 3.0
Ahead InCD
Ahead InCD EasyWrite Reader
Alias SketchBook Pro 2.0
AnswerWorks Runtime
Apple Software Update
Audio Conversion Wizard 1.68.1
Autodesk Architectural Desktop 3.3
Avira AntiVir Server
Betus Poker
BUFFALO Client Manager2
CAM UnZip 4.0
Canon Camera TWAIN Driver 6.0
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Client Manager
Comcast Rhapsody
Corel Painter IX
eMule
eMusic - 50 Free MP3 offer
ewido security suite
EXPERTool
ffdshow (remove only)
FreeUndelete
General Structures Test Bank
Ghost Recon
Google Earth
Google SketchUp 6
Google SketchUp 6
Google SketchUp 6 Exporters
Google SketchUp LayOut 6
Google SketchUp Pro 6
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
hp deskjet 930c series
hp deskjet 930c series (Remove only)
Internet Update Manager
iTunes
J2SE Runtime Environment 5.0 Update 1
Java(TM) 6 Update 2
Kaspersky Online Scanner
KBGear Tablet
LogMeIn
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Mozilla Firefox (2.0.0.6)
MSN Music Assistant
Nero - Burning Rom
NVIDIA Windows 2000/XP Display Drivers
Piranesi 4
PL-2303 USB-to-Serial
Podium
QuickTime
RealPlayer
Rhinoceros 3.0
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
SIM Reader
SketchUp 5
SoundMAX
Spybot - Search & Destroy 1.4
Undisker
Update Rollup 1 for Windows 2000 SP4
Uplink
VIA Rhine-Family Fast Ethernet Adapter
Virtual Paratition Pro Version:1.2
Volo View Express
Winamp (remove only)
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB899591
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912812
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921503
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB922760
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931768
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB932168
Windows 2000 Hotfix - KB933566
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937143
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB938829
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
Wireless Keyboard && Optical Mouse

davep

2007-09-19, 03:22

ComboFix 07-09-18.4 - "Administrator" 09/18/2007 19:29:15.1 - NTFSx86
Microsoft Windows 2000 Advanced Server 5.0.2195.4.1252.1.1033.18.334 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\DOCUME~1\ADMINI~1\Desktop\Find Spyware Remover.lnk
H:\DOCUME~1\DEFAUL~1\Desktop\searchus.exe
H:\Program Files\Accessories\meso5555.dll
H:\Program Files\Common Files\icroso~1.net
H:\Program Files\Common Files\icroso~1.net\?icrosoft.NET\
H:\Program Files\Common Files\icroso~1.net\spoolsv.exe
H:\Program Files\Microsoft Script Debugger\meso5555.dll
H:\Program Files\s2f.exe
H:\Program Files\ucleaner_setup.exe
H:\Program Files\Ultimate Cleaner
H:\WINNT\cookies.ini
H:\WINNT\system32\3.exe
H:\WINNT\system32\aligwayp.dll
H:\WINNT\system32\awhsljsj.dll
H:\WINNT\system32\awtsp.dll
H:\WINNT\system32\bphasjrn.ini
H:\WINNT\system32\cbxuvvw.dll
H:\WINNT\system32\chgqropi.exe
H:\WINNT\system32\clybjjnt.exe
H:\WINNT\system32\dvhkpevv.ini
H:\WINNT\system32\evfdxlgl.exe
H:\WINNT\system32\eyetpfce.exe
H:\WINNT\system32\fgmmnicn.exe
H:\WINNT\system32\fiheldpr.exe
H:\WINNT\system32\fimfwlap.ini
H:\WINNT\system32\fkatldnl.dll
H:\WINNT\system32\gdwocsrb.exe
H:\WINNT\system32\geemjmsg.dll
H:\WINNT\system32\gmxenkkt.dll
H:\WINNT\system32\gsmjmeeg.ini
H:\WINNT\system32\gvdwwaxg.dll
H:\WINNT\system32\gxawwdvg.ini
H:\WINNT\system32\hggeeeb.dll
H:\WINNT\system32\hrwpvxyn.ini
H:\WINNT\system32\ifpkqkqw.exe
H:\WINNT\system32\jculoiwp.exe
H:\WINNT\system32\jfgchdiq.ini
H:\WINNT\system32\jsjlshwa.ini
H:\WINNT\system32\khhhwhtn.exe
H:\WINNT\system32\kjrgctxp.ini
H:\WINNT\system32\kwwglbow.exe
H:\WINNT\system32\lggxjein.ini
H:\WINNT\system32\lndltakf.ini
H:\WINNT\system32\mjmlnsid.exe
H:\WINNT\system32\mqetakkw.exe
H:\WINNT\system32\muwu.dll
H:\WINNT\system32\niejxggl.dll
H:\WINNT\system32\nrjsahpb.dll
H:\WINNT\system32\ntvognog.exe
H:\WINNT\system32\nyxvpwrh.dll
H:\WINNT\system32\onidradj.exe
H:\WINNT\system32\palwfmif.dll
H:\WINNT\system32\pjnsxybj.exe
H:\WINNT\system32\pomwlfpj.exe
H:\WINNT\system32\pstwa.bak1
H:\WINNT\system32\pstwa.bak2
H:\WINNT\system32\pstwa.ini
H:\WINNT\system32\pstwa.ini2
H:\WINNT\system32\pstwa.tmp
H:\WINNT\system32\pxtcgrjk.dll
H:\WINNT\system32\pyawgila.ini
H:\WINNT\system32\qidhcgfj.dll
H:\WINNT\system32\qpqqolkw.dll
H:\WINNT\system32\regsvc.exe
H:\WINNT\system32\rfrrqtsu.exe
H:\WINNT\system32\rgavogte.exe
H:\WINNT\system32\setup155.exe
H:\WINNT\system32\ssqnlmn.dll
H:\WINNT\system32\tigvkprj.exe
H:\WINNT\system32\tkknexmg.ini
H:\WINNT\system32\tsks~1
H:\WINNT\system32\tsks~1\T?sks\
H:\WINNT\system32\ttrwodyj.exe
H:\WINNT\system32\udmlpsmf.exe
H:\WINNT\system32\uhxdntao.exe
H:\WINNT\system32\umjyjoqk.exe
H:\WINNT\system32\uvsjlgbg.exe
H:\WINNT\system32\vgmpxhdq.exe
H:\WINNT\system32\vtinpjvk.exe
H:\WINNT\system32\vvepkhvd.dll
H:\WINNT\system32\vwtwhhys.exe
H:\WINNT\system32\whbbitdm.exe
H:\WINNT\system32\winohw32.dll
H:\WINNT\system32\wmvds32.dll
H:\WINNT\system32\wnscpisv.exe
H:\WINNT\system32\wvusqno.dll
H:\WINNT\system32\wxjvqunk.exe
H:\WINNT\system32\yayayyv.dll
H:\WINNT\system32\ykpyslbc.dll
H:\WINNT\uni_eh44.exe
H:\WINNT\uninst1014.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE

((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-18 19:33 16,384 --a----t- H:\WINNT\system32\Perflib_Perfdata_388.dat
2007-09-18 19:24 51,200 --a------ H:\WINNT\NirCmd.exe
2007-09-18 18:53 <DIR> d-------- H:\WINNT\ERUNT
2007-09-17 21:03 10,240 --a------ H:\Program Files\hlpsrv.exe
2007-09-17 21:02 15,360 --a------ H:\WINNT\system32\drvtejr.dll
2007-09-17 21:02 103,936 --a------ H:\WINNT\system32\drvtej.dll
2007-09-17 21:02 <DIR> d-------- H:\Program Files\xunkjuni
2007-09-17 19:55 <DIR> d-a------ H:\WINNT\system32\Kaspersky Lab
2007-09-17 19:55 <DIR> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-21 22:48 <DIR> d-------- H:\Program Files\Avira
2007-08-21 22:48 <DIR> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir Server
2007-08-21 22:33 <DIR> d-------- H:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-08-21 01:22 3,570 --a------ H:\WINNT\system32\tmp.reg
2007-08-21 01:20 53,248 --a------ H:\WINNT\system32\Process.exe
2007-08-21 01:20 51,200 --a------ H:\WINNT\system32\dumphive.exe
2007-08-21 01:20 288,417 --a------ H:\WINNT\system32\SrchSTS.exe
2007-08-19 20:40 <DIR> d-------- H:\DOCUME~1\ADMINI~1\APPLIC~1\PC Tools
2007-08-18 19:05 95,232 --a------ H:\WINNT\system32\drvwux.dll
2007-08-18 19:05 15,360 --a------ H:\WINNT\system32\drvwuxr.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
07-09-18 19:30 --------- d-------- H:\Program Files\Microsoft Script Debugger
07-09-18 19:30 --------- d-------- H:\Program Files\Accessories
07-08-21 23:04 --------- d--h----- H:\Program Files\InstallShield Installation Information
07-08-20 22:53 --------- d-------- H:\Program Files\PartyGaming
07-08-19 22:02 --------- d--hs---- H:\Program Files\outlook
07-08-14 22:05 --------- d-------- H:\DOCUME~1\DEFAUL~1\APPLIC~1\Google
07-08-13 18:50 --------- d-------- H:\Program Files\iTunes
07-08-13 18:50 --------- d-------- H:\Program Files\iPod
05-02-07 15:10 271 ---h----- H:\Program Files\desktop.ini
05-02-07 15:10 21952 ---h----- H:\Program Files\folder.htt
2007-05-05 00:50:07 1,004 --sha-w H:\WINNT\system32\KGyGaAvL.sys
1997-07-22 00:30:54 1,045,776 --sha-w H:\WINNT\system32\Msjet35.dll
1997-06-23 08:00:00 123,664 --sha-w H:\WINNT\system32\Msjint35.dll
1997-06-23 17:06:50 24,848 --sha-w H:\WINNT\system32\Msjter35.dll
1997-06-23 17:06:50 252,176 --sha-w H:\WINNT\system32\Msrd2x35.dll
1997-06-23 17:06:50 287,504 --sha-w H:\WINNT\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{753F1E77-0039-476C-A2D6-71714D323F00}]
H:\Program Files\Accessories\meso455101.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A52751B-BD89-A11E-D8DC-E0ABDE7153B6}]
H:\WINNT\system32\xamnm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E210118-BD8F-A12A-D8DC-E0ABDE7153B6}]
H:\WINNT\system32\xamnm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="H:\WINNT\TBPanel.exe" [02-07-22 05:28 ]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [02-05-23 23:42 H:\WINNT\system32\nwiz.exe]
"TkBellExe"="H:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-07-16 01:50 ]
"LogMeIn GUI"="H:\Program Files\LogMeIn\LogMeInSystray.exe" [06-10-06 21:55 ]
"NeroCheck"="H:\WINNT\system32\\NeroCheck.exe" [02-10-08 05:03 ]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]
"HPDJ Taskbar Utility"="H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" [06-01-13 19:36 ]
"WinampAgent"="H:\Program Files\Winamp\winampa.exe" [06-09-26 09:49 ]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]
"FLMOFFICE4DMOUSE"="H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe" [07-05-02 17:51 ]
"OFFICEKB"="H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe" [07-05-02 17:51 ]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 ]
"mebelucu"="H:\Program Files\Windows Media Player\mebelucu4.exe" [07-08-07 15:30 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-11 01:43 ]
"Ocao"="H:\PROGRA~1\COMMON~1\ICROSO~1.NET\spoolsv.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

H:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-18 20:36:11]
Adobe Reader Speed Launch.lnk - H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Alias SketchBook Snapshot.lnk - H:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe [2005-06-03 15:33:44]
ClientManager2.lnk - H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe [2004-08-30 02:15:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT RASSFM KDCSVC scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Client Manager.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Client Manager.lnk
backup=H:\WINNT\pss\Client Manager.lnkCommon Startup

R0 avgntmgr;avgntmgr;H:\WINNT\system32\drivers\avgntmgr.sys
R0 DfsDriver;DfsDriver;H:\WINNT\system32\drivers\Dfs.sys
R1 avgntdd;avgntdd;H:\WINNT\system32\drivers\avgntdd.sys
R1 BUFADPT;BUFADPT;\??\H:\WINNT\System32\BUFADPT.SYS
R1 ewido security suite driver;ewido security suite driver;\??\H:\Program Files\ewido\security suite\guard.sys
R2 AVUpdateManager;Avira Internet Update Manager;H:\Program Files\Avira\Internet Update Manager\Updmgr.exe
R2 bwcdrv;BUFFALO Wireless Configuration;H:\WINNT\system32\DRIVERS\bwcdrv.sys
R2 Dfs;Distributed File System;H:\WINNT\system32\Dfssvc.exe
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\H:\Program Files\LogMeIn\RaInfo.sys
R3 Cardex;Cardex;\??\H:\WINNT\TBPANEL.SYS
R3 CBBCM43;BUFFALO WLI-CB-G54 Wireless Network Adapter;H:\WINNT\system32\DRIVERS\bcmwl5.sys
R3 LMImirr;LMImirr;H:\WINNT\system32\DRIVERS\LMImirr.sys
R3 usbhub20;USB 2.0 Root Hub Support;H:\WINNT\system32\DRIVERS\usbhub20.sys
S3 ESSIDSET;ESSIDSET;\??\H:\WINNT\System32\ESSIDSET.SYS
S3 NtFrs;File Replication;H:\WINNT\system32\ntfrs.exe
S3 TDASYNC;TDASYNC;H:\WINNT\system32\drivers\TDASYNC.sys
S3 TDIPX;TDIPX;H:\WINNT\system32\drivers\TDIPX.sys
S3 TDNETB;TDNETB;H:\WINNT\system32\drivers\TDNETB.sys
S3 TDSPX;TDSPX;H:\WINNT\system32\drivers\TDSPX.sys
S3 TrkSvr;Distributed Link Tracking Server;H:\WINNT\system32\services.exe
S3 W2kbhid;KBGear Tablet (USB);H:\WINNT\system32\DRIVERS\W2kbhid.sys
S3 Wtcls2k;Wtcls2k;H:\WINNT\system32\DRIVERS\Wtcls2k.sys
S4 BsUDF;InCD UDF Driver;H:\WINNT\system32\drivers\BsUDF.sys
S4 IsmServ;Intersite Messaging;H:\WINNT\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;H:\WINNT\System32\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-08-20 15:13:10 H:\WINNT\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 19:33:53
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-18 19:34:50 - machine was rebooted
H:\ComboFix-quarantined-files.txt ... 07-09-18 19:34
.
--- E O F ---

SDFix: Version 1.105

Run by Administrator on Tue 09/18/2007 at 6:54p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: H:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

H:\WINNT\Temp\1.dllb - Deleted
H:\WINNT\Temp\2.dllb - Deleted
H:\WINNT\Temp\5.dllb - Deleted
H:\WINNT\Temp\win901.tmp.exe - Deleted
H:\WINNT\Temp\win96C.tmp.exe - Deleted
H:\WINNT\Temp\win977.tmp.exe - Deleted
H:\WINNT\Temp\win9C0.tmp.exe - Deleted
H:\WINNT\Temp\win9CE.tmp.exe - Deleted
H:\WINNT\Temp\winF5C.tmp.exe - Deleted
H:\WINNT\Temp\win901.tmp.exe - Deleted
H:\WINNT\Temp\win96C.tmp.exe - Deleted
H:\WINNT\Temp\win977.tmp.exe - Deleted
H:\WINNT\Temp\win9C0.tmp.exe - Deleted
H:\WINNT\Temp\win9CE.tmp.exe - Deleted
H:\WINNT\Temp\winF5C.tmp.exe - Deleted
H:\WINNT\mgrs.exe - Deleted
H:\WINNT\system32\ldcore.dll - Deleted
H:\WINNT\system32\ldinfo.ldr - Deleted
H:\WINNT\system32\n.ini - Deleted
H:\WINNT\system32\user10.exe - Deleted
H:\WINNT\system32\waverevenue.exe - Deleted
H:\WINNT\Temp\removalfile.bat - Deleted

Folder H:\WINNT\system32\f06WtR - Removed

Removing Temp Files...

ADS Check:

H:\WINNT
No streams found.

H:\WINNT\system32
No streams found.

H:\WINNT\system32\svchost.exe
No streams found.

H:\WINNT\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

File Backups: - H:\SDFix\backups\backups.zip

Files with Hidden Attributes:

H:\From hard drive c\WINNT\system32\Msjet35.dll
H:\From hard drive c\WINNT\system32\Msjint35.dll
H:\From hard drive c\WINNT\system32\Msjter35.dll
H:\From hard drive c\WINNT\system32\Msrd2x35.dll
H:\From hard drive c\WINNT\system32\Msxbse35.dll
H:\WINNT\system32\Msjet35.dll
H:\WINNT\system32\Msjint35.dll
H:\WINNT\system32\Msjter35.dll
H:\WINNT\system32\Msrd2x35.dll
H:\WINNT\system32\Msxbse35.dll
H:\Program Files\Common Files\?icrosoft.NET\spoolsv.exe
H:\WINNT\system32\KGyGaAvL.sys
H:\From hard drive c\WINNT\Temp\OLD2.tmp
H:\From hard drive c\WINNT\Temp\OLD3.tmp
H:\WINNT\system32\pstwa.tmp
H:\WINNT\Temp\EMULE1ef\Microsoft Office v7.0b for Windows 95 serial keygen.zip
H:\WINNT\Temp\EMULE94f\Lord of the Rings The Battle for Middle-earth v1.00 serial keygen.zip
H:\WINNT\Temp\EMULE94f\Windows 2000 Pro Retail serial keygen.zip

Finished!

Angelfire777

2007-09-19, 12:15

Hi,

I'm not even certain my Avira is functional. I downloaded post infection.

I see. That would explain the huge amount of infections..

H:\WINNT\Temp\EMULE1ef\Microsoft Office v7.0b for Windows 95 serial keygen.zip
H:\WINNT\Temp\EMULE94f\Lord of the Rings The Battle for Middle-earth v1.00 serial keygen.zip
H:\WINNT\Temp\EMULE94f\Windows 2000 Pro Retail serial keygen.zip

If you're the one who downloaded those cracks, I suggest that you stop doing it. I'm sure that the infections you have right now are because of these cracks. Not only are you violating those programs' EULA, you're also trying to destroy your machine.
======

*Uninstall the item in bold if found:

J2SE Runtime Environment 5.0 Update 1

*A few optionals that I would recommend be uninstalled.

eMule
eMusic - 50 Free MP3 offer
I have a reson to believe that you are only using Emule to download cracks for softwares so I recommend that you remove it from your system.

Betus Poker
Party Poker
Programs like these serve as vectors for malware to enter in your system.

I suggest a safer and cleaner alternative: www.pokerstars.net

ewido security suite
Ewido is now called AVG AntiSpyware. If you have the paid version of Ewido, I suggest that you upgrade it and use it to scan your system later. If not, please uninstall it and you can download the new AVG Antispyware here: www.ewido.net

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

*Using windows explorer, delete the following folders if you uninstalled their corresponding programs:

H:\Program Files\PartyGaming <<party poker
H:\Program Files\Betus Poker
H:\Program Files\Emule
H:\Program Files\ewido

empty your recycle bin.
____

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = H:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = H:\windows\system32\blank.htm

fix the following if you uninstalled Betus poker:

O9 - Extra button: Betus Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - H:\PROGRA~1\BETUSP~1\client.exe

fix the following if you uninstalled party poker:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
____

Combofix Deletions
Open notepad."
Copy and paste the text inside the code box below to notepad

http://forums.spybot.info/showthread.php?p=120684#post120684

File::
H:\Program Files\hlpsrv.exe
H:\WINNT\system32\drvtejr.dll
H:\WINNT\system32\drvtej.dll
H:\WINNT\system32\drvwux.dll
H:\WINNT\system32\drvwuxr.dll
H:\WINNT\Temp\EMULE1ef\Microsoft Office v7.0b for Windows 95 serial keygen.zip
H:\WINNT\Temp\EMULE94f\Lord of the Rings The Battle for Middle-earth v1.00 serial keygen.zip
H:\WINNT\Temp\EMULE94f\Windows 2000 Pro Retail serial keygen.zip
H:\WINNT\system32\pstwa.tmp
H:\WINNT\system32\tmp.reg
H:\WINNT\system32\dumphive.exe
H:\WINNT\system32\SrchSTS.exe

Folder::
H:\Program Files\xunkjuni

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{753F1E77-0039-476C-A2D6-71714D323F00}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A52751B-BD89-A11E-D8DC-E0ABDE7153B6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E210118-BD8F-A12A-D8DC-E0ABDE7153B6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mebelucu"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ocao"=-

Collect::
H:\Program Files\Windows Media Player\mebelucu4.exe

Dirlook::
H:\Program Files\outlook
Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img263.imageshack.us/img263/9894/cfscriptno0.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.
Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.
_____

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
____

On your next reply, please include a
Fresh HijackThis log.
combofix log
kaspersky scan log

davep

2007-09-20, 07:06

Hi,

I've unistalled all programs recommended.

Also, I submitted the requested malware for analysing.

Now for the requested logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:32 PM, on 9/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
H:\WINNT\System32\smss.exe
H:\WINNT\system32\winlogon.exe
H:\WINNT\system32\services.exe
H:\WINNT\system32\lsass.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\spoolsv.exe
H:\Program Files\Avira\AntiVir Server\avguard.exe
H:\WINNT\System32\svchost.exe
H:\WINNT\system32\hidserv.exe
H:\WINNT\System32\llssrv.exe
H:\WINNT\System32\nvsvc32.exe
H:\WINNT\system32\regsvc.exe
H:\WINNT\system32\MSTask.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINNT\system32\stisvc.exe
H:\WINNT\System32\svchost.exe
H:\WINNT\System32\WBEM\WinMgmt.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\Dfssvc.exe
H:\WINNT\System32\msdtc.exe
H:\WINNT\Explorer.EXE
H:\WINNT\TBPanel.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\Program Files\LogMeIn\LogMeInSystray.exe
H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe
H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
H:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Gainward] H:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "H:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroCheck] H:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: 360Share Pro On Startup.lnk = H:\Program Files\360Share Pro\Gui\360Share Pro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = H:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: ClientManager2.lnk = H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://H:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://H:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://H:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://H:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O23 - Service: Avira AntiVir Server (AntiVirService) - AVIRA GmbH - H:\Program Files\Avira\AntiVir Server\avguard.exe
O23 - Service: Avira Internet Update Manager (AVUpdateManager) - AVIRA GmbH - H:\Program Files\Avira\Internet Update Manager\Updmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - H:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6733 bytes

ComboFix 07-09-18.4 - "Administrator" 09/19/2007 19:26:02.2 - NTFSx86
Microsoft Windows 2000 Advanced Server 5.0.2195.4.1252.1.1033.18.366 [GMT -5:00]
Command switches used :: F:\CFScript.txt

FILE::
H:\Program Files\hlpsrv.exe
H:\WINNT\system32\drvtejr.dll
H:\WINNT\system32\drvtej.dll
H:\WINNT\system32\drvwux.dll
H:\WINNT\system32\drvwuxr.dll
H:\WINNT\Temp\EMULE1ef\Microsoft Office v7.0b for Windows 95 serial keygen.zip
H:\WINNT\Temp\EMULE94f\Lord of the Rings The Battle for Middle-earth v1.00 serial keygen.zip
H:\WINNT\Temp\EMULE94f\Windows 2000 Pro Retail serial keygen.zip
H:\WINNT\system32\pstwa.tmp
H:\WINNT\system32\tmp.reg
H:\WINNT\system32\dumphive.exe
H:\WINNT\system32\SrchSTS.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Program Files\hlpsrv.exe
H:\Program Files\Windows Media Player\mebelucu4.exe
H:\Program Files\xunkjuni
H:\Program Files\xunkjuni\dknmtyhm.dll
H:\WINNT\system32\drvtej.dll
H:\WINNT\system32\drvtejr.dll
H:\WINNT\system32\drvwux.dll
H:\WINNT\system32\drvwuxr.dll
H:\WINNT\system32\dumphive.exe
H:\WINNT\system32\regsvc.exe
H:\WINNT\system32\SrchSTS.exe
H:\WINNT\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.

2007-09-19 19:29 16,384 --a----t- H:\WINNT\system32\Perflib_Perfdata_384.dat
2007-09-18 19:24 51,200 --a------ H:\WINNT\NirCmd.exe
2007-09-18 18:53 <DIR> d-------- H:\WINNT\ERUNT
2007-09-17 19:55 <DIR> d-a------ H:\WINNT\system32\Kaspersky Lab
2007-09-17 19:55 <DIR> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-21 22:48 <DIR> d-------- H:\Program Files\Avira
2007-08-21 22:48 <DIR> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir Server
2007-08-21 22:33 <DIR> d-------- H:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-08-21 01:20 53,248 --a------ H:\WINNT\system32\Process.exe
2007-08-19 20:40 <DIR> d-------- H:\DOCUME~1\ADMINI~1\APPLIC~1\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
07-09-18 19:30 --------- d-------- H:\Program Files\Microsoft Script Debugger
07-09-18 19:30 --------- d-------- H:\Program Files\Accessories
07-08-21 23:04 --------- d--h----- H:\Program Files\InstallShield Installation Information
07-08-19 22:02 --------- d--hs---- H:\Program Files\outlook
07-08-14 22:05 --------- d-------- H:\DOCUME~1\DEFAUL~1\APPLIC~1\Google
07-08-13 18:50 --------- d-------- H:\Program Files\iTunes
07-08-13 18:50 --------- d-------- H:\Program Files\iPod
05-02-07 15:10 271 ---h----- H:\Program Files\desktop.ini
05-02-07 15:10 21952 ---h----- H:\Program Files\folder.htt
2007-05-05 00:50:07 1,004 --sha-w H:\WINNT\system32\KGyGaAvL.sys
1997-07-22 00:30:54 1,045,776 --sha-w H:\WINNT\system32\Msjet35.dll
1997-06-23 08:00:00 123,664 --sha-w H:\WINNT\system32\Msjint35.dll
1997-06-23 17:06:50 24,848 --sha-w H:\WINNT\system32\Msjter35.dll
1997-06-23 17:06:50 252,176 --sha-w H:\WINNT\system32\Msrd2x35.dll
1997-06-23 17:06:50 287,504 --sha-w H:\WINNT\system32\Msxbse35.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of H:\Program Files\outlook ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="H:\WINNT\TBPanel.exe" [02-07-22 05:28 ]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [02-05-23 23:42 H:\WINNT\system32\nwiz.exe]
"TkBellExe"="H:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-07-16 01:50 ]
"LogMeIn GUI"="H:\Program Files\LogMeIn\LogMeInSystray.exe" [06-10-06 21:55 ]
"NeroCheck"="H:\WINNT\system32\\NeroCheck.exe" [02-10-08 05:03 ]
"HPDJ Taskbar Utility"="H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" [06-01-13 19:36 ]
"WinampAgent"="H:\Program Files\Winamp\winampa.exe" [06-09-26 09:49 ]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]
"FLMOFFICE4DMOUSE"="H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe" [07-05-02 17:51 ]
"OFFICEKB"="H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe" [07-05-02 17:51 ]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 ]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-11 01:43 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

H:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-18 20:36:11]
Adobe Reader Speed Launch.lnk - H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Alias SketchBook Snapshot.lnk - H:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe [2005-06-03 15:33:44]
ClientManager2.lnk - H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe [2004-08-30 02:15:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT RASSFM KDCSVC scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Client Manager.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Client Manager.lnk
backup=H:\WINNT\pss\Client Manager.lnkCommon Startup

R0 avgntmgr;avgntmgr;H:\WINNT\system32\drivers\avgntmgr.sys
R0 DfsDriver;DfsDriver;H:\WINNT\system32\drivers\Dfs.sys
R1 avgntdd;avgntdd;H:\WINNT\system32\drivers\avgntdd.sys
R1 BUFADPT;BUFADPT;\??\H:\WINNT\System32\BUFADPT.SYS
R2 AVUpdateManager;Avira Internet Update Manager;H:\Program Files\Avira\Internet Update Manager\Updmgr.exe
R2 bwcdrv;BUFFALO Wireless Configuration;H:\WINNT\system32\DRIVERS\bwcdrv.sys
R2 Dfs;Distributed File System;H:\WINNT\system32\Dfssvc.exe
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\H:\Program Files\LogMeIn\RaInfo.sys
R3 Cardex;Cardex;\??\H:\WINNT\TBPANEL.SYS
R3 CBBCM43;BUFFALO WLI-CB-G54 Wireless Network Adapter;H:\WINNT\system32\DRIVERS\bcmwl5.sys
R3 LMImirr;LMImirr;H:\WINNT\system32\DRIVERS\LMImirr.sys
R3 usbhub20;USB 2.0 Root Hub Support;H:\WINNT\system32\DRIVERS\usbhub20.sys
S3 ESSIDSET;ESSIDSET;\??\H:\WINNT\System32\ESSIDSET.SYS
S3 NtFrs;File Replication;H:\WINNT\system32\ntfrs.exe
S3 TDASYNC;TDASYNC;H:\WINNT\system32\drivers\TDASYNC.sys
S3 TDIPX;TDIPX;H:\WINNT\system32\drivers\TDIPX.sys
S3 TDNETB;TDNETB;H:\WINNT\system32\drivers\TDNETB.sys
S3 TDSPX;TDSPX;H:\WINNT\system32\drivers\TDSPX.sys
S3 TrkSvr;Distributed Link Tracking Server;H:\WINNT\system32\services.exe
S3 W2kbhid;KBGear Tablet (USB);H:\WINNT\system32\DRIVERS\W2kbhid.sys
S3 Wtcls2k;Wtcls2k;H:\WINNT\system32\DRIVERS\Wtcls2k.sys
S4 BsUDF;InCD UDF Driver;H:\WINNT\system32\drivers\BsUDF.sys
S4 IsmServ;Intersite Messaging;H:\WINNT\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;H:\WINNT\System32\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv

.
Contents of the 'Scheduled Tasks' folder
"2007-08-20 15:13:10 H:\WINNT\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-19 19:29:18
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-19 19:30:23 - machine was rebooted
H:\ComboFix-quarantined-files.txt ... 07-09-19 19:30
H:\ComboFix2.txt ... 07-09-18 19:34
.
--- E O F ---

davep

2007-09-20, 07:08

Here's the Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, September 19, 2007 11:38:27 PM
Operating System: Microsoft Windows 2000 Advanced Server, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 20/09/2007
Kaspersky Anti-Virus database records: 420994
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 105375
Number of viruses found: 23
Number of infected objects: 71
Number of suspicious objects: 10
Duration of the scan process: 01:19:26

Infected Object Name / Virus Name / Last Action
H:\Documents and Settings\Administrator\Application Data\ClientManager2\profiles.bin Object is locked skipped
H:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
H:\Documents and Settings\Administrator\Desktop\[4]-Submit_Wed 09-19-2007@19.26.zip/mebelucu4.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
H:\Documents and Settings\Administrator\Desktop\[4]-Submit_Wed 09-19-2007@19.26.zip ZIP: infected - 1 skipped
H:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007091920070920\index.dat Object is locked skipped
H:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip/win1B.tmp.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip ZIP: suspicious - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde31.zip/winF4E.tmp.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde31.zip ZIP: suspicious - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/win968.tmp.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip ZIP: suspicious - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde59.zip/win28C8.tmp.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde59.zip ZIP: suspicious - 1 skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: suspicious - 1 skipped
H:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
H:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
H:\Program Files\LogMeIn\update\2-30-517.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
H:\qoobox\Quarantine\catchme2007-09-18_193351.35.zip/ssqnlmn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\qoobox\Quarantine\catchme2007-09-18_193351.35.zip ZIP: infected - 1 skipped
H:\qoobox\Quarantine\H\Program Files\Accessories\meso5555.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
H:\qoobox\Quarantine\H\Program Files\Common Files\ICROSO~1.NET\spoolsv.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
H:\qoobox\Quarantine\H\Program Files\hlpsrv.exe.vir Infected: Trojan-Clicker.Win32.Small.mv skipped
H:\qoobox\Quarantine\H\Program Files\Microsoft Script Debugger\meso5555.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
H:\qoobox\Quarantine\H\Program Files\ucleaner_setup.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped
H:\qoobox\Quarantine\H\WINNT\system32\3.exe.vir Infected: Trojan-Downloader.Win32.VB.bbq skipped
H:\qoobox\Quarantine\H\WINNT\system32\cbxuvvw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\qoobox\Quarantine\H\WINNT\system32\chgqropi.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\clybjjnt.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\drvtej.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
H:\qoobox\Quarantine\H\WINNT\system32\drvwux.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
H:\qoobox\Quarantine\H\WINNT\system32\evfdxlgl.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\eyetpfce.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\fgmmnicn.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\fiheldpr.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\gdwocsrb.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\hggeeeb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\qoobox\Quarantine\H\WINNT\system32\ifpkqkqw.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\jculoiwp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\khhhwhtn.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\kwwglbow.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\mjmlnsid.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\mqetakkw.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\ntvognog.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\onidradj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
H:\qoobox\Quarantine\H\WINNT\system32\pjnsxybj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\pomwlfpj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\rfrrqtsu.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\rgavogte.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\Setup155.exe.vir/data0002 Infected: Trojan.Win32.VB.bfw skipped
H:\qoobox\Quarantine\H\WINNT\system32\Setup155.exe.vir/data0005 Infected: Trojan.Win32.VB.bfv skipped
H:\qoobox\Quarantine\H\WINNT\system32\Setup155.exe.vir/data0006 Infected: Trojan.Win32.VB.bfw skipped
H:\qoobox\Quarantine\H\WINNT\system32\Setup155.exe.vir NSIS: infected - 3 skipped
H:\qoobox\Quarantine\H\WINNT\system32\tigvkprj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\ttrwodyj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\udmlpsmf.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\uhxdntao.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\umjyjoqk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\uvsjlgbg.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\vgmpxhdq.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\vtinpjvk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\vwtwhhys.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\whbbitdm.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\winohw32.dll.vir Infected: Trojan.Win32.Agent.qt skipped
H:\qoobox\Quarantine\H\WINNT\system32\wmvds32.dll.vir Infected: Trojan-Downloader.Win32.VB.asx skipped
H:\qoobox\Quarantine\H\WINNT\system32\wvusqno.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\qoobox\Quarantine\H\WINNT\system32\wxjvqunk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
H:\qoobox\Quarantine\H\WINNT\system32\yayayyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
H:\qoobox\Quarantine\H\WINNT\uninst1014.exe.vir Infected: Trojan.Win32.VB.bfw skipped
H:\qoobox\Quarantine\H\WINNT\uni_eh44.exe.vir Infected: Trojan.Win32.VB.bfv skipped
H:\SDFix\backups\backups.zip/backups/ldcore.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
H:\SDFix\backups\backups.zip/backups/mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
H:\SDFix\backups\backups.zip/backups/movedfile.ren Infected: Trojan-Downloader.Win32.Small.dxm skipped
H:\SDFix\backups\backups.zip/backups/user10.exe Infected: Trojan-Downloader.Win32.Small.fgr skipped
H:\SDFix\backups\backups.zip/backups/waverevenue.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
H:\SDFix\backups\backups.zip/backups/win96C.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
H:\SDFix\backups\backups.zip/backups/win9C0.tmp.exe Infected: Trojan-Downloader.Win32.Alphabet.p skipped
H:\SDFix\backups\backups.zip ZIP: infected - 7 skipped
H:\WINNT\Debug\ipsecpa.log Object is locked skipped
H:\WINNT\Debug\oakley.log Object is locked skipped
H:\WINNT\Debug\PASSWD.LOG Object is locked skipped
H:\WINNT\SchedLgU.Txt Object is locked skipped
H:\WINNT\SoftwareDistribution\EventCache\{CE48DA15-393A-4095-B973-124EC5938DA2}.bin Object is locked skipped
H:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINNT\Sti_Trace.log Object is locked skipped
H:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
H:\WINNT\system32\config\default Object is locked skipped
H:\WINNT\system32\config\default.LOG Object is locked skipped
H:\WINNT\system32\config\SAM Object is locked skipped
H:\WINNT\system32\config\SAM.LOG Object is locked skipped
H:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
H:\WINNT\system32\config\SECURITY Object is locked skipped
H:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
H:\WINNT\system32\config\software Object is locked skipped
H:\WINNT\system32\config\software.LOG Object is locked skipped
H:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
H:\WINNT\system32\config\system Object is locked skipped
H:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
H:\WINNT\system32\drvgaj.dll Infected: Trojan.Win32.Dialer.qn skipped
H:\WINNT\system32\DTCLog\MSDTC.LOG Object is locked skipped
H:\WINNT\system32\Perflib_Perfdata_384.dat Object is locked skipped
H:\WINNT\system32\s2f.exe Infected: Trojan-Downloader.Win32.Alphabet.z skipped
H:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Angelfire777

2007-09-20, 11:51

Hi,

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
H:\WINNT\system32\drvgaj.dll
H:\WINNT\system32\s2f.exe
"H:\Documents and Settings\Administrator\Desktop\[4]-Submit_Wed 09-19-2007@19.26.zip"
) do (
attrib -s -h -r %%g
del /s/f/q %%g
if exist %%g echo.%%g >>"%temp%\log.txt"
)>nul 2>&1

for %%g in (
"H:\Program Files\outlook"
"H:\Documents and Settings\Administrator\Desktop\SmitfraudFix"
H:\qoobox
H:\SDFix
) do (
attrib -s -h -r %%g
rd /s/q %%g
if exist %%g echo.%%g >>"%temp%\log.txt"
)>nul 2>&1

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt"
) else echo.Deleted Successfully!

echo.REGEDIT4>>rehide.reg
echo.>>rehide.reg
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]>>rehide.reg
echo."hidden"=dword:00000002>>rehide.reg
echo."hidefileext"=dword:00000001>>rehide.reg
echo."showsuperhidden"=dword:00000000>>rehide.reg

regedit /s rehide.reg
del rehide.reg
pause
del %0

Locate clean.bat on your Desktop and double-click on it. Tell me what it says.

On your next reply, please include a
Fresh HijackThis log.
results of clean.bat
A detailed description on how's your machine running.

davep

2007-09-21, 01:18

Locate clean.bat on your Desktop and double-click on it. Tell me what it says.

Deleted Successfully.

A detailed description on how's your machine running.

As for the performance of my computer:
It seems to be running quite well. No pop-ups lately. I'm going to reboot after this post and see if I can get a bit better description for you.

Fresh HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:57 PM, on 9/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
H:\WINNT\System32\smss.exe
H:\WINNT\system32\winlogon.exe
H:\WINNT\system32\services.exe
H:\WINNT\system32\lsass.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\spoolsv.exe
H:\Program Files\Avira\AntiVir Server\avguard.exe
H:\WINNT\System32\svchost.exe
H:\WINNT\system32\hidserv.exe
H:\WINNT\System32\llssrv.exe
H:\WINNT\System32\nvsvc32.exe
H:\WINNT\system32\regsvc.exe
H:\WINNT\system32\MSTask.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINNT\system32\stisvc.exe
H:\WINNT\System32\svchost.exe
H:\WINNT\System32\WBEM\WinMgmt.exe
H:\WINNT\system32\svchost.exe
H:\WINNT\system32\Dfssvc.exe
H:\WINNT\System32\msdtc.exe
H:\WINNT\Explorer.EXE
H:\WINNT\TBPanel.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\Program Files\LogMeIn\LogMeInSystray.exe
H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe
H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
H:\Program Files\internet explorer\iexplore.exe
H:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Gainward] H:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "H:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroCheck] H:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] H:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [OFFICEKB] H:\Program Files\Micro Innovations\Wireless Keyboard & Optical Mouse\kbdap32a.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] H:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: 360Share Pro On Startup.lnk = H:\Program Files\360Share Pro\Gui\360Share Pro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = H:\Program Files\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: ClientManager2.lnk = H:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://H:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://H:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://H:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://H:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{42B9155E-5837-42CA-9427-8FC59E492D45}: NameServer = 192.168.1.1
O23 - Service: Avira AntiVir Server (AntiVirService) - AVIRA GmbH - H:\Program Files\Avira\AntiVir Server\avguard.exe
O23 - Service: Avira Internet Update Manager (AVUpdateManager) - AVIRA GmbH - H:\Program Files\Avira\Internet Update Manager\Updmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - H:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - H:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6781 bytes

davep

2007-09-21, 01:44

I notice several things different than when first infected.

-Upon rebooting windows, there is no longer a cmd box or boxes that automatically open (and I assume execute commands) just before the desktop icons appear.

-No pop-ups or redirection of Internet Explorer.

-While computer is "idling"...no longer receiving continual messages about "cannot find web page...do you want to work offline?"

-Seems to be working like pre-infection! Thanks!

I'm not sure what other detailed info you might want, but I'll be happy to supply it if needed.

Angelfire777

2007-09-21, 16:28

Hi,

What you provided were enough.

Congratulations! Your log looks clean!

This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore

Select Create a restore point, and Ok it.

Next, go to Start > Run and type in cleanmgr

Select the More options tab

Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» Comodo (http://www.personalfirewall.comodo.com/)
» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)

MVPS Hosts File
~You can download it from here (http://www.mvps.org/winhelp2002/hosts.zip)
~I highly recommend this hosts file. You can learn more about this here (http://www.mvps.org/winhelp2002/hosts.htm)

IESpyAds
~Instructions on downloading and using it here (http://www.techsupportforum.com/articles-tutorials-reviews/computer-security-articles/168444-installation-guide-ie-spyad.html#post1068846)

Note: This only works for Internet Explorer.

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!