virtumonde removal assistance request [Archive]

View Full Version : virtumonde removal assistance request

megashub

2007-11-26, 10:40

I've installed HJT, renamed it to picillo21.exe, and saved the log following the instructions provided to other users. Please note, this HJT log is post-combofix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:55 AM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
g:\Program Files\Logitech\MouseWare\system\em_exec.exe
G:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\MSI\Core Center\CoreCenter.exe
G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
g:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\piccollo21.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wm3.org/admin
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] G:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PrintServer Diagnostic] g:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "G:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: CoreCenter.lnk = G:\Program Files\MSI\Core Center\CoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099544219375
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F930461-A262-4E4D-BF47-46BEF45E5E7D}: NameServer = 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{691E223C-1369-4963-BC5D-797E3C31D20F}: NameServer = 4.2.2.1,4.2.2.2,4.2.2.3,4.2.2.4,4.2.2.5,4.2.2.6,68.105.28.12,24.248.131.27
O17 - HKLM\System\CS1\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O17 - HKLM\System\CS3\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8106 bytes

I've also run ComboFix, within safe mode (without networking support), and have provided its log below.

ComboFix 07-11-19.3 - Bob 2007-11-23 11:18:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.746 [GMT -7:00]Running from: C:\Documents and Settings\Bob\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\xloadnet
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\kojximay.dll
C:\WINDOWS\system32\mafksedo.dll
C:\WINDOWS\system32\nixqntnt.dll
C:\WINDOWS\system32\rwygdsur.dll
C:\WINDOWS\system32\ugqshbpb.dll
C:\WINDOWS\system32\uumqjivr.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-23 10:53 188,416 --a------ C:\WINDOWS\system32\vbalexpbar.ocx
2007-11-23 10:53 83,968 --a------ C:\WINDOWS\system32\vbaliml.ocx
2007-11-23 10:53 74,752 --a------ C:\WINDOWS\system32\vbalarlb.ocx
2007-11-23 10:53 53,248 --a------ C:\WINDOWS\system32\zlib.dll
2007-11-23 10:53 29,696 --a------ C:\WINDOWS\system32\ssubtmr.dll
2007-11-19 23:34 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Ahead
2007-11-15 19:39 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Yahoo! Messenger
2007-11-12 23:36 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\OpenOffice.org2
2007-11-12 23:27 3,564,584 --a------ C:\Program Files\procexp.exe
2007-11-11 17:42 93,184 --a------ C:\Documents and Settings\Bob\iexplore.exe
2007-11-11 13:59 <DIR> d-------- C:\WINDOWS\524228C9826F4B589E474F2E5C7E9F45.TMP
2007-11-11 13:59 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\minuscule
2007-11-06 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-11-06 17:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 17:17 <DIR> d-------- C:\Program Files\uTorrent
2007-11-02 17:17 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\uTorrent
2007-10-29 01:49 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-29 01:40 <DIR> d-------- C:\Program Files\Serious Magic
2007-10-25 00:05 1,544,542 --a------ C:\WINDOWS\system32\avcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 11:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-22 00:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 17:16 --------- d-----w C:\Documents and Settings\Bob\Application Data\AVG7
2007-11-20 06:33 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-17 21:52 --------- d-----w C:\Program Files\Java
2007-11-17 01:05 --------- d-----w C:\Documents and Settings\Bob\Application Data\AdobeUM
2007-11-11 20:59 --------- d-----w C:\Documents and Settings\Bob\Application Data\dvdcss
2007-10-29 08:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-19 22:39 --------- d-----w C:\Documents and Settings\Bob\Application Data\MPEG Streamclip
2007-10-19 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-19 16:52 --------- d-----w C:\Documents and Settings\Bob\Application Data\Viewpoint
2007-10-18 21:52 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-12 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-12 22:02 --------- d-----w C:\Program Files\AIM6
2007-10-12 22:02 --------- d-----w C:\Documents and Settings\Bob\Application Data\acccore
2007-10-12 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-12 21:58 --------- d-----w C:\Program Files\Viewpoint
2007-10-12 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-12 21:57 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-12 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-12 21:38 --------- d-----w C:\Program Files\Yahoo!
2007-10-12 07:34 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-11 20:07 --------- d-----w C:\Program Files\Zune
2007-10-11 20:06 --------- d-----w C:\Program Files\DIFX
2007-10-11 20:06 --------- d-----w C:\Program Files\Common Files\ComponentOne
2007-10-08 20:42 --------- d-----w C:\Program Files\Resource Kit
2007-10-06 22:57 --------- d-----w C:\Documents and Settings\Bob\Application Data\PCF-VLC
2007-10-06 22:53 --------- d-----w C:\Documents and Settings\Bob\Application Data\Participatory Culture Foundation
2007-10-06 20:21 --------- d-----w C:\Documents and Settings\Bob\Application Data\TVU Networks
2007-09-30 23:00 --------- d-----w C:\Documents and Settings\Bob\Application Data\FlashFXP
2007-09-26 18:35 --------- d-----w C:\Documents and Settings\Bob\Application Data\InstallShield
2007-08-31 12:36 72,138 ----a-w C:\Program Files\procexp.chm
2007-04-18 18:37 1,399,673 --sh--w C:\WINDOWS\system32\nqtss.bak1
2007-04-18 21:45 1,399,726 --sh--w C:\WINDOWS\system32\nqtss.bak2
2007-04-18 22:43 1,399,953 --sh--w C:\WINDOWS\system32\nqtss.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"Aim6"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Steam"="G:\Program Files\Steam\Steam.exe" [2007-11-21 18:14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"AHQInit"="G:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 09:49]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 02:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"P17Helper"="Rundll32 P17.dll" []
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"PrintServer Diagnostic"="g:\Program Files\Print Server\PTP\PSDiagnostic.exe" []
"DAEMON Tools-1033"="G:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 08:18]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-04-04 14:42]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 17:03]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"!AVG Anti-Spyware"="g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 08:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xloadnet]
C:\Program Files\xloadnet\xloadnet.exe

R2 X4HSX32;X4HSX32;\??\g:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 PCAlertDriver;PCAlertDriver;\??\G:\Program Files\MSI\Core Center\NTGLM7X.sys
R3 RushTopDevice;RushTopDevice;\??\G:\Program Files\MSI\Core Center\RushTop.sys
S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cur_bus.sys
S3 cur_mdfl;Curitel Packet Service Filter;C:\WINDOWS\system32\DRIVERS\cur_mdfl.sys
S3 cur_mdm;Curitel Packet Service Drivers;C:\WINDOWS\system32\DRIVERS\cur_mdm.sys
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cur_serd.sys
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 Udisusrvawfi;Udisusrvawfi;C:\WINDOWS\system32\drivers\ati1pdxx.sys
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys
S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys
S3 WCG200BXP;Linksys WCG200 Wireless-G Cable Gateway(B);C:\WINDOWS\system32\DRIVERS\WCGBXP.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4412b128-02f4-11da-bc25-0002b34c634f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe maskrider2001.vbs

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 11:23:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-23 11:25:55 - machine was rebooted
.
--- E O F ---

megashub

2007-11-26, 11:18

I would have also included the Kaspersky Labs scanner results, but their online scanner isn't able to download daily.avc from any of the kaspersky-labs.com ftp servers, so it eventually fails out with this pop-up error message:

"Update process FAILED. No further antivirus actions can be performed!

Attention, you must be online to activate Kaspersky Online Scanner, since the latest Anti-Virus bases version must be downloaded prior to scan. Otherwise we cannot guarantee detection of latest viruses. [21]"

Internet Explorer is allowed via Windows Firewall, and it downloads the application itself and 92% of the virus definitions before failing. I'll keep trying it, and if it eventually completes, I will post the results.

megashub

2007-11-26, 19:17

After about 30 minutes of retries, it gave me the files. Must have been during a signature update or something. Anyway, here's the log as promised. My other scanners never found any of this crap... used to think AVG was good... now? I'm beginning to have doubts.

http://www.megashub.com/megashub-kaspersky.txt

katana

2007-12-02, 00:18

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and helpers look for posts with zero replies.
Unfortunately there are far more people needing help than there are helpers.

Please post a fresh Hijack This log to this thread.
I will be notified and I will get back to you ASAP.

megashub

2007-12-02, 01:07

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:59 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
g:\Program Files\Logitech\MouseWare\system\em_exec.exe
G:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
G:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\uTorrent\uTorrent.exe
G:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\zstatus.exe
G:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\piccollo21.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wm3.org/admin
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] G:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PrintServer Diagnostic] g:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "G:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: CoreCenter.lnk = G:\Program Files\MSI\Core Center\CoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099544219375
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F930461-A262-4E4D-BF47-46BEF45E5E7D}: NameServer = 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{691E223C-1369-4963-BC5D-797E3C31D20F}: NameServer = 4.2.2.1,4.2.2.2,4.2.2.3,4.2.2.4,4.2.2.5,4.2.2.6,68.105.28.12,24.248.131.27
O17 - HKLM\System\CS1\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O17 - HKLM\System\CS3\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8280 bytes

katana

2007-12-02, 12:34

Disable Teatimer
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\Documents and Settings\Bob\iexplore.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\524228C9826F4B589E474F2E5C7E9F45.TMP

If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\maskrider2001.vbs
Folder::
C:\Program Files\xloadnet

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"=-
"REGSHAVE"=-
"NWEReboot"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xloadnet]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4412b128-02f4-11da-bc25-0002b34c634f}]

Save this as CFScript.txt and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Something went wrong with that Kaspersky log, and it is virtually unreadable
You will need to do it again, but first I suggest that you empty the following folders using Thunderbird
mail.visionman.com\Inbox
mail.wm3.org\Inbox
pop.cableaz.com\Inbox
mail.visionman.com\Sent
mail.wm3.org\Sent
pop.cableaz.com\Junk
pop.cableaz.com\Saved Mail <<<< ( anything from the 8 April 2005)

You also have infected mail in
G:\Storage\oldc

megashub

2007-12-02, 20:05

[QUOTE=katana;141357]Disable Teatimer
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

You asked that I report anything that's inconsistent with the instructions instead of continuing onward.

Currently, the Spybot system tray icon is not present at all. I haven't manually closed Spybot, but Teatimer is still running in my Processes list. How would you like me to proceed? Shall I manually End Task on Tea Timer? I await your instructions.

Thanks for your assistance!!

Bob

katana

2007-12-02, 20:19

Yes, please End Task on Tea Timer

megashub

2007-12-03, 04:01

Disabled Spybot/TeaTimer as instructed.

Fixed the items you specified using HJT, as instructed.

Virustotal results:
\bob\Iexplore.exe:
Webwasher-Gateway: BlockReason.0
MD5: e7484514c0464642be7b4dc2689354c8

The .TMP file is actually a folder, containing 3 files, all of which I scanned with Virustotal. They are clean. (let me know if you'd like the filenames)

Combofix results:

ComboFix 07-12-02.5 - Bob 2007-12-02 14:21:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.648 [GMT -7:00]
Running from: C:\Documents and Settings\Bob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bob\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\maskrider2001.vbs
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\sstqn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 13:52 . 2007-12-02 13:52 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-02 13:52 . 2007-12-02 13:52 <DIR> d-------- C:\Program Files\Sierra Wireless
2007-12-02 13:52 . 2004-07-21 11:40 17,920 --a------ C:\WINDOWS\system32\apintfnt.dll
2007-12-02 13:51 . 2007-12-02 13:51 <DIR> d-------- C:\WINDOWS\Sierra
2007-11-28 19:00 . 2007-11-28 19:00 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Sibelius Software
2007-11-26 01:50 . 2007-11-26 01:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-26 01:50 . 2007-11-26 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 01:01 . 2007-11-26 01:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-23 10:53 . 1997-01-16 00:00 958,224 --a------ C:\WINDOWS\system32\mschart.ocx
2007-11-23 10:53 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2007-11-23 10:53 . 2003-11-11 20:47 188,416 --a------ C:\WINDOWS\system32\vbalexpbar.ocx
2007-11-23 10:53 . 1998-11-11 11:26 114,176 --a------ C:\WINDOWS\system32\ccrpdtp.ocx
2007-11-23 10:53 . 2003-04-01 08:33 83,968 --a------ C:\WINDOWS\system32\vbaliml.ocx
2007-11-23 10:53 . 2003-07-04 23:27 74,752 --a------ C:\WINDOWS\system32\vbalarlb.ocx
2007-11-23 10:53 . 2002-03-13 16:46 53,248 --a------ C:\WINDOWS\system32\zlib.dll
2007-11-23 10:53 . 2003-01-22 20:37 29,696 --a------ C:\WINDOWS\system32\ssubtmr.dll
2007-11-19 23:34 . 2007-11-25 15:17 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Ahead
2007-11-19 16:00 . 2004-05-26 21:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-11-19 16:00 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-11-19 16:00 . 2006-09-16 19:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2007-11-15 19:39 . 2007-11-15 19:39 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Yahoo! Messenger
2007-11-12 23:36 . 2007-11-21 15:48 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\OpenOffice.org2
2007-11-12 23:33 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-12 23:27 . 2007-11-05 07:54 3,564,584 --a------ C:\Program Files\procexp.exe
2007-11-11 17:42 . 2004-08-04 00:56 93,184 --a------ C:\Documents and Settings\Bob\iexplore.exe
2007-11-11 13:59 . 2007-11-11 13:59 <DIR> d-------- C:\WINDOWS\524228C9826F4B589E474F2E5C7E9F45.TMP
2007-11-11 13:59 . 2007-11-11 13:59 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\minuscule
2007-11-06 17:02 . 2007-11-06 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-11-06 17:01 . 2007-11-06 17:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 17:17 . 2007-11-02 17:17 <DIR> d-------- C:\Program Files\uTorrent
2007-11-02 17:17 . 2007-12-02 13:07 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 13:29 --------- d-----w C:\Documents and Settings\Bob\Application Data\AVG7
2007-12-02 11:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-01 19:43 --------- d-----w C:\Documents and Settings\Bob\Application Data\AdobeUM
2007-11-27 03:32 --------- d-----w C:\Documents and Settings\Bob\Application Data\dvdcss
2007-11-26 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-22 00:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 06:33 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-17 21:52 --------- d-----w C:\Program Files\Java
2007-10-29 08:49 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-29 08:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-29 08:40 --------- d-----w C:\Program Files\Serious Magic
2007-10-19 22:39 --------- d-----w C:\Documents and Settings\Bob\Application Data\MPEG Streamclip
2007-10-19 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-19 16:52 --------- d-----w C:\Documents and Settings\Bob\Application Data\Viewpoint
2007-10-18 21:52 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-12 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-12 22:02 --------- d-----w C:\Program Files\AIM6
2007-10-12 22:02 --------- d-----w C:\Documents and Settings\Bob\Application Data\acccore
2007-10-12 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-12 21:58 --------- d-----w C:\Program Files\Viewpoint
2007-10-12 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-12 21:57 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-12 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-12 21:38 --------- d-----w C:\Program Files\Yahoo!
2007-10-12 07:34 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-11 20:07 --------- d-----w C:\Program Files\Zune
2007-10-11 20:06 --------- d-----w C:\Program Files\DIFX
2007-10-11 20:06 --------- d-----w C:\Program Files\Common Files\ComponentOne
2007-10-08 20:42 --------- d-----w C:\Program Files\Resource Kit
2007-10-06 22:57 --------- d-----w C:\Documents and Settings\Bob\Application Data\PCF-VLC
2007-10-06 22:53 --------- d-----w C:\Documents and Settings\Bob\Application Data\Participatory Culture Foundation
2007-10-06 20:21 --------- d-----w C:\Documents and Settings\Bob\Application Data\TVU Networks
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvumctl.exe
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvugart.exe
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 08:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 08:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 08:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 08:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 08:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 08:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 08:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 08:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 08:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 08:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 08:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 08:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 08:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 08:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 08:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 08:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 08:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 08:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 08:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 08:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 08:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 08:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 08:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 08:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 08:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 08:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 08:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 08:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 08:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-31 12:36 72,138 ----a-w C:\Program Files\procexp.chm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Steam"="G:\Program Files\Steam\Steam.exe" [2007-11-30 00:42]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AHQInit"="G:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 09:49]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 02:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"P17Helper"="Rundll32 P17.dll" []
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"PrintServer Diagnostic"="g:\Program Files\Print Server\PTP\PSDiagnostic.exe" []
"DAEMON Tools-1033"="G:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 08:18]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-04-04 14:42]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 17:03]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"!AVG Anti-Spyware"="G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 08:18]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

R2 X4HSX32;X4HSX32;\??\g:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 PCAlertDriver;PCAlertDriver;\??\G:\Program Files\MSI\Core Center\NTGLM7X.sys
R3 RushTopDevice;RushTopDevice;\??\G:\Program Files\MSI\Core Center\RushTop.sys
R3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys
R3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys
S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cur_bus.sys
S3 cur_mdfl;Curitel Packet Service Filter;C:\WINDOWS\system32\DRIVERS\cur_mdfl.sys
S3 cur_mdm;Curitel Packet Service Drivers;C:\WINDOWS\system32\DRIVERS\cur_mdm.sys
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cur_serd.sys
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 Udisusrvawfi;Udisusrvawfi;C:\WINDOWS\system32\drivers\ati1pdxx.sys
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys
S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys
S3 WCG200BXP;Linksys WCG200 Wireless-G Cable Gateway(B);C:\WINDOWS\system32\DRIVERS\WCGBXP.sys

*Newly Created Service* - PROCEXP90
*Newly Created Service* - SPCSUTILITYSERVICE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 14:22:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 14:23:19
C:\ComboFix2.txt ... 2007-11-25 12:35
C:\ComboFix3.txt ... 2007-11-23 18:01
.
--- E O F ---

New Kaspersky scan (HTML version):
http://www.megashub.com/megashub-kaspersky.html

katana

2007-12-03, 04:55

but first I suggest that you empty the following folders using Thunderbird
mail.visionman.com\Inbox
mail.wm3.org\Inbox
pop.cableaz.com\Inbox
mail.visionman.com\Sent
mail.wm3.org\Sent
pop.cableaz.com\Junk
pop.cableaz.com\Saved Mail <<<< ( anything from the 8 April 2005)

You also have infected mail in
G:\Storage\oldc

The above are still showing in the log

Do you know what this relates to ?
G:\Program Files\SniffPass\SniffPass.exe

megashub

2007-12-03, 05:00

The mail-related entries can be purged outright. In fact I thought I had. I went into the app, and removed the content you suggested (wholesale, emptied entire folders into trash), and then emptied my trash. They still showed up. Not sure why.

I don't even use Thunderbird anymore, and would be happy to just uninstall the app and nuke whatever folders you supply to me, if that course of action would be quicker?

With regard to sniffpass, I'm a technical consultant, and was evaluating a network password sniffer for a client to self-monitor their network. It can be uninstalled and its folders purged if necessary.

katana

2007-12-03, 05:11

As long as you know what sniffpass is, and that it was there that is fine.

If you don't use Thunderbird, it would be quicker to remove the program :)
Just uninstall via Add/Remove programs
and then check that
C:\Documents and Settings\Bob\Application Data\Thunderbird
has been deleted

I would also delete G:\dump\Zoo Tycoon 2 Full.rar

How are things running now ?

megashub

2007-12-03, 05:26

Things are running well. Things dramatically improved after I initially ran ComboFix, but since Virtumonde kept showing up in scans, I knew it was re-occur unless I stopped it.

I assume the machine is not yet clean (enough)?

I'm not so much concerned with performance at this point, as I am about making sure I'm fully clean so I'm not back here again in a few weeks. heh.

This install of windows is many years old at this point, and its showing signs of general instability anyway. I've gotten used to a certain amount of irritation. :)

I'll purge Thunderbird and its storehouses.

katana

2007-12-03, 05:30

Let's do one more scan to be certain

TotalScan

Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK

Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

megashub

2007-12-03, 05:36

Thunderbird has been removed. App Data has also been removed. Also removed the Thunderbird directory in g:\storage\oldc, just for good measure. (there was no old app data stored on G: that I could find)

What's next?

katana

2007-12-03, 05:39

megashub

2007-12-03, 05:51

ROFL... installed the plugin, waiting for it to download updates... could be a while waiting on that (hasn't moved in a while.. we shall see). Anyway, I'll post the results once it's done. :cool:

megashub

2007-12-03, 08:08

Alright... after letting it sit to hopefully receive its updates for approximately 3 hours, I decided to cancel it and restart the process to see if it just stalled. It's still just sitting there at 0% waiting to receive updates.

Next?

katana

2007-12-03, 09:40

Try this instead

Run Panda Online Scan
Run Panda's ActiveScan from here (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop

megashub

2007-12-04, 03:28

katana

2007-12-04, 12:01

OK, that's looking good now, how are things running ?

I would like to have another look at that iexplore file, it shouldn't be there.

navigate to C:\Documents and Settings\Bob\iexplore.exe
and Right click on the file and select Properties
Let me know how big the file is and any other information there

megashub

2007-12-04, 19:27

This one looks a tad fishy.

It's 91k, created 11-11-2007, modified 2004-08-04, accessed 2007-12-04

The version tab looks completely legit. Version: 6.0.2900.2180, Copyright Microsoft Corporation. All rights reserved. etc.

katana

2007-12-04, 20:55

Lets try and get a read on it

Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)

Unzip it to desktop, open it then copy/paste the list of files below,
press next & it will create an archive on your desktop called Requested Files[date:Time].cab
Files to be Packed.

C:\Documents and Settings\Bob\iexplore.exe

Now visit Jotti (http://virusscan.jotti.org/)
Click on Browse... and navigate to Requested Files[date:Time].cab that was created on your desktop
Click Open
Please post back, to let me know the results.

If Jotti is too busy please try Virustotal (http://www.virustotal.com/en/indexf.html)

megashub

2007-12-04, 21:52

It came back clean using both services.

To answer your previous question, things are running just fine, but they have been for a while now.

katana

2007-12-04, 23:02

Let's get it checked out by the experts :)

Please send an E-Mail to -- detections AT spybot.info (replace AT with @, no spaces)

As the message title put -- Suspicious iexplore.exe
Include this link in the body of the E-Mail -- http://forums.spybot.info/showthread.php?p=141959#post141959
Please include any comments you would like to make

Attach Requested Files[date:Time].cab
now send the mail.

Navigate to C:\Documents and Settings\Bob\iexplore.exe
Make sure you can see .exe on the end of iexplore
Right click and select Rename
Rename it to iexplore.exe.vir

That will stop it from running untill we find out what it is :laugh:

Apart from that, .........

Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Please delete
suspicious file packer
Requested Files[date:Time].cab
You can also delete any logs we have produced, and empty your Recycle bin.

Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer

Turn ON System Restore

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
All the programs in this list have a free version.
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 (http://www.ewido.net/en/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Ad-Aware 2007 Free (http://www.lavasoftusa.com/products/ad_aware_free.php) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 3.5.1 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/content/view/19/2/) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.......So How Did I Get Infected In The First Place (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

spybotsandra

2007-12-06, 15:46

Hello,

We have checked that file and it is the usual exe file from the Internet Explorer.

Best regards
Sandra
Team Spybot

katana

2007-12-06, 18:03

:bigthumb:

Strange place for it to be located ?
Oh well, as long as it is safe :D:

My thanks to all involved

K'

tashi

2007-12-14, 03:32

Thank you katana. :)