View Full Version : Assistance With Unknown Infection
Umm,. I will get strait to the point and skip the explanation.
----------
HJT LOG
----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:15 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\taskmar.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\XWatDog.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\WINDOWS\system32\HPZipm12.exe
C:\sysreset\mirc.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\explorer.exe
D:\Program Files\CoreCodec\The Core Media Player\CorePlayer.exe
D:\WINDOWS\system32\vjklgnrm.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Eset\nod32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,,taskmar.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\rjnxucas.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [c0f79f14] rundll32.exe "D:\WINDOWS\system32\llelfvdg.dll",b
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DomainService - - D:\WINDOWS\system32\vjklgnrm.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5997 bytes
And, I chose not to post kapersky due to its length. If you are in need of it, I will post it upon request.
Hello and welcome to the Forums :)
You're infected.
Rename HijackThis.exe to skanneri.exe by doing the following;
Navigate here using Windows Explorer (windows button + E) or My Computer Local Disk C: C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to skanneri.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.
I did as requested. Here is the newly produced log.:laugh:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:23 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\XWatDog.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\WINDOWS\system32\HPZipm12.exe
C:\sysreset\mirc.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\CoreCodec\The Core Media Player\CorePlayer.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\vjklgnrm.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\skanneri.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,,taskmar.exe
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {160b93d5-27ae-4fc6-a589-0c5f8d2ae3ac} - D:\WINDOWS\system32\ejdnhlyp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {680af64e-3e30-a36b-8cc4-9409f3b50266} - {66205b3f-9049-4cc8-b63a-03e3e46fa086} - D:\WINDOWS\system32\jpblgabw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - D:\WINDOWS\system32\xxywwus.dll
O2 - BHO: (no name) - {A38825C3-2D24-4461-A804-022E9D560B08} - D:\WINDOWS\system32\ssqro.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\rjnxucas.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\rjnxucas.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [c0f79f14] rundll32.exe "D:\WINDOWS\system32\llelfvdg.dll",b
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O20 - Winlogon Notify: rjnxucas - D:\WINDOWS\SYSTEM32\rjnxucas.dll
O20 - Winlogon Notify: xxywwus - D:\WINDOWS\SYSTEM32\xxywwus.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DomainService - - D:\WINDOWS\system32\vjklgnrm.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7392 bytes
Ok we'll begin the cleaning now :)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Alright, I just wanted to confirm something. I ran VundoFix.exe and as you stated might happen, my computer restarted because Vundo was unable to remove a file. I did as so, and it seems that a file, "xxywwus.dll", is unable to be deleted for one reason or another. would you like me to boot in safe mode and run Vundo in hopes of removeing this file, or would you perfer another option?
Hi :)
Okay you may try in safe mode too. Then just post the logs to here. We may need to use other tools too....
:bigthumb:
Alright, so turns out, it won't remove in safe mode either, so any other program suggestions?
Oh, and btw, sorry it is taking me a while to reply. I cut off the internet connection to my computer and I am using my siblings' computer to reply.
Hello :)
Okay we'll hit it with this one:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Hi :D:
I am having a little trouble posting the whole log. In total, it is over 110 000 character long.
Do you want me to post specific sections of the log, or would you like me to "take other courses of action"? :laugh:
I am sorry this is taking longer than usual and that my computer isn't quite cooperating. ^_^;;
Hi :)
Ok that's one huge log then...
You can use eg rapidshare (http://rapidshare.com/) to upload the whole log. Then just post the link to your log to me.:bigthumb:
Hello,
and here is your link~
http://rapidshare.com/files/69511278/log.txt:bigthumb:
Hi, we'll continue :)
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
Open notepad and copy/paste the text in the quotebox below into it:
File::
D:\WINDOWS\system32\blrwkjyp.dll
D:\WINDOWS\system32\lsmpmwtd.dll
D:\WINDOWS\system32\rxwwuebm.dll
D:\WINDOWS\system32\wowjldko.dll
D:\WINDOWS\system32\ndqfjron.dll
D:\WINDOWS\system32\wrhdlhpa.dll
D:\WINDOWS\system32\uabbajeh.dll
D:\WINDOWS\system32\ycandxdm.dll
D:\WINDOWS\system32\eshslpme.dll
D:\WINDOWS\system32\pcdhnpeu.dll
D:\WINDOWS\system32\ukjaynlv.dll
D:\WINDOWS\system32\ekqirxwq.dll
D:\WINDOWS\system32\xhwejjtc.dll
D:\WINDOWS\system32\mgfrcedl.dll
D:\WINDOWS\system32\hjwystnp.dll
D:\WINDOWS\system32\hmotjlqm.dll
D:\WINDOWS\system32\wxluwyaf.dll
D:\WINDOWS\system32\tumfjxle.dll
D:\WINDOWS\system32\rwnporur.dll
D:\WINDOWS\system32\edfwqjql.dll
D:\WINDOWS\system32\ehycghjj.exe
D:\WINDOWS\system32\nggbuokv.dll
D:\WINDOWS\system32\fsphhsvy.exe
D:\WINDOWS\system32\dqjnsgjj.dll
D:\WINDOWS\system32\lfbbphjw.exe
D:\WINDOWS\system32\yfhejrkj.dll
D:\WINDOWS\system32\iluhxqpx.dll
D:\WINDOWS\system32\owhcriqi.dll
D:\WINDOWS\system32\qwsjongc.exe
D:\WINDOWS\system32\amhqqqtd.dll
D:\WINDOWS\system32\chovtydx.dll
D:\WINDOWS\system32\gfuscchr.dll
D:\WINDOWS\system32\ejdnhlyp.dll
D:\WINDOWS\system32\xxywwus.dll
D:\WINDOWS\17PHolmes572.exe
D:\WINDOWS\system32\ejdnhlyp.dll
D:\WINDOWS\system32\taskmar.exe
D:\WINDOWS\system32\lsmpmwtd.dll
D:\WINDOWS\system32\blrwkjyp.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{160b93d5-27ae-4fc6-a589-0c5f8d2ae3ac}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1cf5be8d-8913-4f02-80a5-0081e900e3c7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c0f79f14"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Here you go~ :bigthumb:
CF LOG
ComboFix 07-11-08.1 - Tsurugi Kyo 2007-11-14 15:49:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT -6:00]
Running from: D:\Documents and Settings\Tsurugi Kyo\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Tsurugi Kyo\Desktop\CFScript.txt
* Created a new restore point
FILE
D:\WINDOWS\17PHolmes572.exe
D:\WINDOWS\system32\amhqqqtd.dll
D:\WINDOWS\system32\blrwkjyp.dll
D:\WINDOWS\system32\chovtydx.dll
D:\WINDOWS\system32\dqjnsgjj.dll
D:\WINDOWS\system32\edfwqjql.dll
D:\WINDOWS\system32\ehycghjj.exe
D:\WINDOWS\system32\ejdnhlyp.dll
D:\WINDOWS\system32\ekqirxwq.dll
D:\WINDOWS\system32\eshslpme.dll
D:\WINDOWS\system32\fsphhsvy.exe
D:\WINDOWS\system32\gfuscchr.dll
D:\WINDOWS\system32\hjwystnp.dll
D:\WINDOWS\system32\hmotjlqm.dll
D:\WINDOWS\system32\iluhxqpx.dll
D:\WINDOWS\system32\lfbbphjw.exe
D:\WINDOWS\system32\lsmpmwtd.dll
D:\WINDOWS\system32\mgfrcedl.dll
D:\WINDOWS\system32\ndqfjron.dll
D:\WINDOWS\system32\nggbuokv.dll
D:\WINDOWS\system32\owhcriqi.dll
D:\WINDOWS\system32\pcdhnpeu.dll
D:\WINDOWS\system32\qwsjongc.exe
D:\WINDOWS\system32\rwnporur.dll
D:\WINDOWS\system32\rxwwuebm.dll
D:\WINDOWS\system32\taskmar.exe
D:\WINDOWS\system32\tumfjxle.dll
D:\WINDOWS\system32\uabbajeh.dll
D:\WINDOWS\system32\ukjaynlv.dll
D:\WINDOWS\system32\wowjldko.dll
D:\WINDOWS\system32\wrhdlhpa.dll
D:\WINDOWS\system32\wxluwyaf.dll
D:\WINDOWS\system32\xhwejjtc.dll
D:\WINDOWS\system32\xxywwus.dll
D:\WINDOWS\system32\ycandxdm.dll
D:\WINDOWS\system32\yfhejrkj.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\WINDOWS\17PHolmes572.exe
D:\WINDOWS\system32\amhqqqtd.dll
D:\WINDOWS\system32\blrwkjyp.dll
D:\WINDOWS\system32\chovtydx.dll
D:\WINDOWS\system32\dqjnsgjj.dll
D:\WINDOWS\system32\edfwqjql.dll
D:\WINDOWS\system32\ehycghjj.exe
D:\WINDOWS\system32\ejdnhlyp.dll
D:\WINDOWS\system32\ekqirxwq.dll
D:\WINDOWS\system32\eshslpme.dll
D:\WINDOWS\system32\fsphhsvy.exe
D:\WINDOWS\system32\gfuscchr.dll
D:\WINDOWS\system32\hjwystnp.dll
D:\WINDOWS\system32\hmotjlqm.dll
D:\WINDOWS\system32\iluhxqpx.dll
D:\WINDOWS\system32\lfbbphjw.exe
D:\WINDOWS\system32\lsmpmwtd.dll
D:\WINDOWS\system32\mgfrcedl.dll
D:\WINDOWS\system32\ndqfjron.dll
D:\WINDOWS\system32\nggbuokv.dll
D:\WINDOWS\system32\owhcriqi.dll
D:\WINDOWS\system32\pcdhnpeu.dll
D:\WINDOWS\system32\qwsjongc.exe
D:\WINDOWS\system32\rwnporur.dll
D:\WINDOWS\system32\rxwwuebm.dll
D:\WINDOWS\system32\taskmar.exe
D:\WINDOWS\system32\tumfjxle.dll
D:\WINDOWS\system32\uabbajeh.dll
D:\WINDOWS\system32\ukjaynlv.dll
D:\WINDOWS\system32\wowjldko.dll
D:\WINDOWS\system32\wrhdlhpa.dll
D:\WINDOWS\system32\wxluwyaf.dll
D:\WINDOWS\system32\xhwejjtc.dll
D:\WINDOWS\system32\ycandxdm.dll
D:\WINDOWS\system32\yfhejrkj.dll
.
---- Previous Run -------
.
D:\WINDOWS\cookies.ini
D:\WINDOWS\system32\ssttt.dll
D:\WINDOWS\system32\tttss.ini
D:\WINDOWS\system32\tttss.ini2
.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.
2007-11-13 21:03 21,456 --a------ D:\WINDOWS\system32\drivers\SilvrLnk.sys
2007-11-13 21:02 <DIR> d-------- D:\Program Files\TI Education
2007-11-13 21:02 <DIR> d-------- D:\Program Files\Common Files\TI Shared
2007-11-13 21:01 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 17:12 <DIR> d-------- D:\Documents and Settings\Tsurugi Kyo\Application Data\Move Networks
2007-11-13 07:43 26,296 --a------ D:\Documents and Settings\Tsurugi Kyo\Application Data\GDIPFONTCACHEV1.DAT
2007-11-11 12:43 <DIR> d--h----- D:\Documents and Settings\Tsurugi Kyo\Application Data\ijjigame
2007-11-11 12:43 58,776 --a------ D:\WINDOWS\system32\ijjiPlugin2.dll
2007-11-11 12:42 <DIR> d-------- D:\Program Files\NHN USA
2007-11-11 12:42 692,224 --a------ D:\WINDOWS\system32\ijjiSetup.exe
2007-11-10 13:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-09 23:43 49,536 -ra------ D:\WINDOWS\system32\drivers\tiehdusb.sys
2007-11-09 17:25 <DIR> d-------- D:\VundoFix Backups
2007-11-06 20:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-03 21:18 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2007-11-03 21:18 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-03 17:50 <DIR> d-------- D:\Program Files\Yahoo!
2007-11-03 17:49 <DIR> d-------- D:\Program Files\CCleaner
2007-11-02 21:34 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2007-11-02 16:35 <DIR> d-------- D:\Program Files\iTunes
2007-11-02 16:35 <DIR> d-------- D:\Documents and Settings\Tsurugi Kyo\Application Data\Apple Computer
2007-11-02 16:34 <DIR> d-------- D:\Program Files\QuickTime
2007-11-02 16:33 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-02 16:32 <DIR> d-------- D:\Program Files\Common Files\Apple
2007-10-17 05:39 <DIR> d-------- D:\Documents and Settings\Tsurugi Kyo\Application Data\Viewpoint
2007-10-16 17:50 <DIR> d-------- D:\Documents and Settings\Tsurugi Kyo\Application Data\acccore
2007-10-16 17:48 <DIR> d-------- D:\Program Files\Common Files\AOL
2007-10-16 17:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-16 17:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\AOL
2007-10-16 17:46 <DIR> d-------- D:\Program Files\AIM6
2007-10-16 17:28 <DIR> d-------- D:\Program Files\Viewpoint
2007-10-16 17:28 <DIR> d-------- D:\Program Files\AIM
2007-10-16 17:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-16 17:28 344,064 --a------ D:\WINDOWS\system32\msvcr70.dll
2007-10-16 16:25 <DIR> d-------- D:\Program Files\Winamp
2007-10-16 16:25 <DIR> d-------- D:\Documents and Settings\Tsurugi Kyo\Application Data\Winamp
2007-10-14 10:14 <DIR> d-------- D:\Program Files\MSBuild
2007-10-14 10:00 <DIR> d-------- D:\WINDOWS\system32\XPSViewer
2007-10-14 09:58 <DIR> d-------- D:\Program Files\Reference Assemblies
2007-10-14 09:57 14,048 --a------ D:\WINDOWS\system32\spmsg2.dll
2007-10-14 09:47 23,856 --a------ D:\WINDOWS\system32\spupdsvc.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 21:50 --------- d-----w D:\Documents and Settings\Tsurugi Kyo\Application Data\Orbit
2007-11-11 18:42 --------- d--h--w D:\Program Files\InstallShield Installation Information
2007-11-10 17:08 --------- d-----w D:\Program Files\Java
2007-11-07 05:00 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 03:34 --------- d-----w D:\Program Files\BearShare
2007-10-25 21:20 --------- d-----w D:\Documents and Settings\Tsurugi Kyo\Application Data\uTorrent
2007-09-27 22:22 --------- d-----w D:\Program Files\PurePlay
2007-09-27 22:22 --------- d-----w D:\Documents and Settings\All Users\Application Data\PurePlay
2007-09-27 09:31 --------- d-----w D:\Program Files\uTorrent
2007-09-17 23:39 --------- d-----w D:\Documents and Settings\Tsurugi Kyo\Application Data\RipIt4Me
2007-09-15 03:52 --------- d-----w D:\Program Files\Common Files\Adobe
2007-09-15 03:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-09-15 03:48 --------- d-----w D:\Program Files\Common Files\Adobe Systems Shared
2007-08-20 06:49 502,272 ----a-w D:\WINDOWS\system32\winlogon.exe
2007-08-20 06:35 298,104 ----a-w D:\WINDOWS\system32\imon.dll
.
((((((((((((((((((((((((((((( snapshot_2007-11-12_22.19.42.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-08-14 16:10:54 37,376 ----a-w D:\WINDOWS\system\lfbmp12n.dll
+ 2003-08-14 16:10:56 313,856 ----a-w D:\WINDOWS\system\LFCMP12n.DLL
+ 2003-08-14 16:10:56 78,336 ----a-w D:\WINDOWS\system\lffax12n.dll
+ 2003-08-14 16:10:56 109,568 ----a-w D:\WINDOWS\system\lfjbg12n.dll
+ 2003-08-14 16:10:56 32,256 ----a-w D:\WINDOWS\system\lflmb12n.dll
+ 2003-08-14 16:10:58 33,280 ----a-w D:\WINDOWS\system\lfpcx12n.dll
+ 2003-08-14 16:10:58 190,464 ----a-w D:\WINDOWS\system\lftif12n.dll
+ 2003-08-14 16:11:24 278,528 ----a-w D:\WINDOWS\system\LTDIS12n.dll
+ 2003-08-14 16:11:28 146,944 ----a-w D:\WINDOWS\system\ltfil12n.DLL
+ 2003-08-14 16:11:32 406,016 ----a-w D:\WINDOWS\system\ltkrn12n.dll
+ 2003-08-14 16:11:40 855,040 ----a-w D:\WINDOWS\system\Ltwvc12n.dll
- 2007-11-03 03:01:59 127,704 ----a-w D:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-11-14 05:12:03 140,440 ----a-w D:\WINDOWS\system32\FNTCACHE.DAT
- 2007-11-10 05:44:56 70,124 ----a-w D:\WINDOWS\system32\perfc009.dat
+ 2007-11-14 03:09:30 70,124 ----a-w D:\WINDOWS\system32\perfc009.dat
- 2007-11-10 05:44:56 436,360 ----a-w D:\WINDOWS\system32\perfh009.dat
+ 2007-11-14 03:09:30 436,360 ----a-w D:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 19:51]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 19:39 D:\WINDOWS\SOUNDMAN.EXE]
"RegServer"="regserve.exe" [2005-01-28 14:41 D:\WINDOWS\system32\RegServe.exe]
"XGIWatchDog"="XWatDog.exe" [2005-01-28 14:42 D:\WINDOWS\system32\XWatDog.exe]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38]
"HP Component Manager"="D:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2007-08-20 00:35]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"DeadAIM"="D:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-23 03:16]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 14:14]
"Aim6"="" []
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Orbit.lnk - D:\Program Files\Orbitdownloader\orbitdm.exe [2007-09-13 16:27:57]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}"= D:\WINDOWS\system32\byxyvts.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvts]
byxyvts.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;D:\WINDOWS\system32\Drivers\ousbehci.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;D:\WINDOWS\system32\DRIVERS\ousb2hub.sys
R3 Xgiv3;Xgiv3;D:\WINDOWS\system32\DRIVERS\Xgiv3m.sys
S3 DrvSnSht;DrvSnSht;\??\D:\Program Files\R-Drive Image\DrvSnSht.sys
S3 MzBot;MzBot;\??\C:\MzBot.sys
S3 R-ImageDisk;R-ImageDisk;\??\D:\Program Files\R-Drive Image\R-ImageDisk.sys
S3 TIEHDUSB;TIEHDUSB;D:\WINDOWS\system32\drivers\tiehdusb.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1121d1e3-3d53-11dc-a004-806d6172696f}]
\Shell\AutoRun\command - H:\SETUP.EXE /UPDATE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 15:52:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-14 15:53:06 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-09-06 05:55
D:\ComboFix2.txt ... 2007-11-12 22:20
D:\ComboFix3.txt ... 2007-09-06 05:55
.
--- E O F ---
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:49 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\XWatDog.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Orbitdownloader\orbitdm.exe
D:\Program Files\Orbitdownloader\orbitnet.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\skanneri.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O20 - Winlogon Notify: byxyvts - byxyvts.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6370 bytes
Looking much better :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: byxyvts - byxyvts.dll (file missing)
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Done and Done~ :yes:
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:32 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\XWatDog.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Eset\nod32krn.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Orbitdownloader\orbitdm.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\Program Files\Orbitdownloader\orbitnet.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Trend Micro\HijackThis\skanneri.exe
D:\WINDOWS\system32\wuauclt.exe
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6151 bytes
Dr.Web CureIt
3RBYAICA.NQF;D:\Program Files\Eset\infected;Trojan.Hammer;Deleted.;
5APZRICA.NQF;D:\Program Files\Eset\infected;Trojan.DownLoader.26881;Deleted.;
AIF3XRDA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
BFIGR4CA.NQF;D:\Program Files\Eset\infected;Trojan.Virtumod;Deleted.;
E1DJUCDA.NQF;D:\Program Files\Eset\infected;Trojan.Inject.380;Deleted.;
G1TJRTDA.NQF;D:\Program Files\Eset\infected;Trojan.Hammer;Deleted.;
L1TPHQDA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
LBZDRWCA.NQF;D:\Program Files\Eset\infected;Trojan.Spambot;Deleted.;
MEHCHNAA.NQF;D:\Program Files\Eset\infected;Adware.ClickSpring;;
MURCBQDA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
O0N4TMAA.NQF;D:\Program Files\Eset\infected;Trojan.DownLoader.10963;Deleted.;
OD3GCSCA.NQF;D:\Program Files\Eset\infected;Trojan.Click.2446;Deleted.;
OUATVVBA.NQF\data001;D:\Program Files\Eset\infected\OUATVVBA.NQF;Adware.Mirarbar;;
OUATVVBA.NQF\data002;D:\Program Files\Eset\infected\OUATVVBA.NQF;Adware.Mirarbar;;
OUATVVBA.NQF;D:\Program Files\Eset\infected;Archive contains infected objects;Moved.;
P0FZUDCA.NQF;D:\Program Files\Eset\infected;Trojan.DownLoader.10963;Deleted.;
PIGZHSCA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
PIJ2SDDA.NQF;D:\Program Files\Eset\infected;Trojan.Virtumod;Deleted.;
PM4IGNDA.NQF;D:\Program Files\Eset\infected;Adware.ClickSpring;;
QG525GDA.NQF;D:\Program Files\Eset\infected;Trojan.Hammer;Deleted.;
QQYGL4AA.NQF;D:\Program Files\Eset\infected;Adware.Aws;;
R0PH5XDA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
S2G2BOCA.NQF;D:\Program Files\Eset\infected;Trojan.DownLoader.10963;Deleted.;
UL4LHPBA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
UUQCYABA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
VGP5OMAA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
VI1UWDAA.NQF;D:\Program Files\Eset\infected;Trojan.Virtumod.206;Deleted.;
VQR42FDA.NQF;D:\Program Files\Eset\infected;Trojan.EzulaAd;Deleted.;
VX3B0FDA.NQF;D:\Program Files\Eset\infected;Trojan.DownLoader.24715;Deleted.;
X4TWZ1AA.NQF;D:\Program Files\Eset\infected;Trojan.DownLoader.36408;Deleted.;
wr-1-77.exe.vir;D:\qoobox\Quarantine\D\Program Files\svhost;Trojan.DownLoader.31840;Deleted.;
owhcriqi.dll.vir;D:\qoobox\Quarantine\D\WINDOWS\system32;Trojan.Juan.25;Deleted.;
A0020042.dll;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP117;Trojan.Virtumod.227;Deleted.;
A0024180.dll;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP122;Trojan.Virtumod.229;Deleted.;
A0024318.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP123;Trojan.DownLoader.31817;Deleted.;
A0024458.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP125;Trojan.EzulaAd;Deleted.;
A0024463.dll;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP125;Trojan.Juan.25;Deleted.;
A0024465.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP125;Trojan.EzulaAd;Deleted.;
A0008459.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP42;Adware.ZenoSearch;;
A0008465.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP42;Trojan.DownLoader.31840;Deleted.;
A0008603.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP42;Trojan.DownLoader.31840;Deleted.;
A0008702.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP46;Trojan.DownLoader.31840;Deleted.;
A0008728.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP46;Trojan.DownLoader.31840;Deleted.;
A0008736.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP47;Trojan.DownLoader.31840;Deleted.;
A0008764.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP48;Trojan.DownLoader.31840;Deleted.;
A0008788.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP48;Trojan.DownLoader.31840;Deleted.;
A0008798.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP49;Trojan.DownLoader.31840;Deleted.;
A0008826.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP49;Trojan.DownLoader.31840;Deleted.;
A0009826.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP49;Trojan.DownLoader.31840;Deleted.;
A0010047.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP49;Trojan.DownLoader.31840;Deleted.;
A0010069.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP49;Adware.ZenoSearch;;
A0010070.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP49;Adware.ZenoSearch;;
A0010071.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP49;Adware.Hotbot;;
A0010227.exe;D:\System Volume Information\_restore{34BC7681-253C-49E2-8ACD-4D1DE516225A}\RP53;Trojan.DownLoader.31840;Deleted.;
Hello :)
Looks clean now. How is the pc running?
It runs just fine!
This isthe second time you guys have helped me out. I thank you.
If anything occures, I wil lbe sure to come back. (hopefully I won't....or...not anytime soon anyways.@_@)
Haha, well, I thank you again.
:bow:
You're very welcome :)
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
You can remove the tools we used.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)