PDA

View Full Version : virtumonde and others



Zander
2008-05-27, 00:31
Hello,
I've just cleaned the first machine in my network, and now I'm posting the HJT and Kaspersky log for the other machine in my network.

(I have completed the steps in the "Readme first" section)

Can you please help me sort this mess out? I appreciate it.

Thanks!

**************
HJT Log
**************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:14 PM, on 26/05/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINNT\system32\khfCuSig.dll (file missing)
O2 - BHO: (no name) - {B3FA4FFF-85F1-4C0C-8FA2-1F6F98071091} - C:\WINNT\system32\ssqPhEVm.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [90d938f5] rundll32.exe "C:\WINNT\system32\kmvuobkn.dll",b
O4 - HKLM\..\Run: [BM93ea0b69] Rundll32.exe "C:\WINNT\system32\frcvkusn.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3225] command /c del "C:\WINNT\system32\drqojpol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5257] cmd /c del "C:\WINNT\system32\drqojpol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5409] command /c del "C:\WINNT\system32\frcvkusn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4477] cmd /c del "C:\WINNT\system32\frcvkusn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1922] command /c del "C:\WINNT\system32\jwnldkcm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4206] cmd /c del "C:\WINNT\system32\jwnldkcm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6585] command /c del "C:\WINNT\system32\ssqPhEVm.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2584] cmd /c del "C:\WINNT\system32\ssqPhEVm.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1026] command /c del "C:\WINNT\system32\drqojpol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7977] cmd /c del "C:\WINNT\system32\drqojpol.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA121] command /c del "C:\WINNT\system32\frcvkusn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8182] cmd /c del "C:\WINNT\system32\frcvkusn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA844] command /c del "C:\WINNT\system32\jwnldkcm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4836] cmd /c del "C:\WINNT\system32\jwnldkcm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2280] command /c del "C:\WINNT\system32\ssqPhEVm.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1862] cmd /c del "C:\WINNT\system32\ssqPhEVm.dll"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [rebootex] C:\Program Files\RebootEx\rebootw.exe -s
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [SpybotDeletingB5383] command /c del "C:\WINNT\system32\drqojpol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7168] cmd /c del "C:\WINNT\system32\drqojpol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5729] command /c del "C:\WINNT\system32\frcvkusn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD14] cmd /c del "C:\WINNT\system32\frcvkusn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4396] command /c del "C:\WINNT\system32\jwnldkcm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7612] cmd /c del "C:\WINNT\system32\jwnldkcm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6210] command /c del "C:\WINNT\system32\ssqPhEVm.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD66] cmd /c del "C:\WINNT\system32\ssqPhEVm.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9442] command /c del "C:\WINNT\system32\drqojpol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6125] cmd /c del "C:\WINNT\system32\drqojpol.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB576] command /c del "C:\WINNT\system32\frcvkusn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6052] cmd /c del "C:\WINNT\system32\frcvkusn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6256] command /c del "C:\WINNT\system32\jwnldkcm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5311] cmd /c del "C:\WINNT\system32\jwnldkcm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4372] command /c del "C:\WINNT\system32\ssqPhEVm.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3931] cmd /c del "C:\WINNT\system32\ssqPhEVm.dll"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VirtualExpander.lnk = C:\WINNT\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132292444121
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177881847056
O20 - Winlogon Notify: khfCuSig - khfCuSig.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)

--
End of file - 8416 bytes



**************
Kaspersky log
**************
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 26, 2008 12:12:58 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 800955
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 64362
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:57:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\tamara\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\tamara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\tamara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\tamara\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tamara\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tamara\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\tamara\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-839522115-1580436667-1060284298-1000\Dc162\bitdefender_totalsecurity_2008_32b.exe/data0000.cab/is152564.exe Infected: Trojan.Win32.Monder.gen skipped
C:\RECYCLER\S-1-5-21-839522115-1580436667-1060284298-1000\Dc162\bitdefender_totalsecurity_2008_32b.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\RECYCLER\S-1-5-21-839522115-1580436667-1060284298-1000\Dc162\bitdefender_totalsecurity_2008_32b.exe Rsrc-Package: infected - 2 skipped
C:\RECYCLER\S-1-5-21-839522115-1580436667-1060284298-1000\Dc162\Patch.exe/data0000.cab/is152564.exe Infected: Trojan.Win32.Monder.gen skipped
C:\RECYCLER\S-1-5-21-839522115-1580436667-1060284298-1000\Dc162\Patch.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\RECYCLER\S-1-5-21-839522115-1580436667-1060284298-1000\Dc162\Patch.exe Rsrc-Package: infected - 2 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_21c.dat Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_310.dat Object is locked skipped

Scan process completed.

Rorschach112
2008-05-27, 03:13
Hello

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Zander
2008-05-27, 17:33
Hello,

I cleaned up using ATF, and I've posted the updated combofix and HJT logs below. Thanks for looking them over and recommending what to do.

**********
ComboFix Log
**********
ComboFix 08-05-15.3 - Tamara 27/05/2008 2:45:38.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.56 [GMT -7:00]
Running from: C:\Documents and Settings\tamara\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\pskt.ini
C:\WINNT\system32\djlcolqx.exe
C:\WINNT\system32\mVEhPqss.ini
C:\WINNT\system32\mVEhPqss.ini2
C:\WINNT\system32\nkbouvmk.ini
C:\WINNT\system32\ssqPhEVm.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 05:53 . 08-05-27 05:53 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_21c.dat
2008-05-26 12:32 . 08-05-26 12:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-26 12:32 . 08-05-26 12:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 12:20 . 08-05-26 12:20 0 --a------ C:\WINNT\nsreg.dat
2008-05-26 12:19 . 08-05-26 12:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 10:41 . 08-05-26 10:41 2,624 --a------ C:\WINNT\system32\ufcxomex.exe
2008-05-26 09:43 . 08-05-26 09:43 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-26 09:43 . 08-05-26 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 21:42 . 08-05-14 21:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-14 21:34 . 08-05-14 21:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-14 18:57 . 08-05-14 18:55 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-05-14 18:55 . 08-05-14 19:09 <DIR> d-------- C:\Documents and Settings\tamara\.housecall6.6
2008-05-13 20:28 . 08-05-26 10:40 109,807 --a------ C:\WINNT\BM93ea0b69.xml
2008-05-12 18:51 . 08-05-14 15:41 121 --a------ C:\WINNT\bdagent.INI
2008-05-12 18:38 . 08-05-12 18:38 <DIR> d-------- C:\Program Files\BitDefender
2008-05-12 18:36 . 08-05-12 18:38 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-12 17:30 . 08-05-12 17:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-12 17:28 . 08-05-14 11:50 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-05-12 17:28 . 08-05-12 17:28 1,409 --a------ C:\WINNT\QTFont.for
2008-05-12 17:23 . 08-05-12 17:23 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-07 20:56 . 08-05-07 20:56 8 --a------ C:\WINNT\sess_73c463470fd0d93bd160324f4ee968cf
2008-05-07 20:55 . 08-05-07 20:55 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-04-30 20:57 . 08-04-30 20:57 <DIR> d-------- C:\Documents and Settings\tamara\Application Data\Brother

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 09:43 --------- d-----w C:\Documents and Settings\tamara\Application Data\Skype
2008-05-13 00:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-09 21:10 --------- d-----w C:\Documents and Settings\tamara\Application Data\AdobeUM
2006-05-11 15:45 455 ----a-w C:\Program Files\INSTALL.LOG
2005-11-18 05:30 271 ---h--w C:\Program Files\desktop.ini
2005-11-18 05:30 21,952 ---h--w C:\Program Files\folder.htt
2004-10-01 23:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]
C:\WINNT\system32\khfCuSig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 05:00 20752 C:\WINNT\system32\internat.exe]
"rebootex"="C:\Program Files\RebootEx\rebootw.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [08-02-01 17:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 12:50 155648]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [05-03-18 05:34 1228800]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [04-12-16 18:49 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-02-08 18:16 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-02-23 16:45 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 02:11 132496]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [06-10-04 12:38 163840]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [04-11-02 21:24 32768]
"90d938f5"="C:\WINNT\system32\kmvuobkn.dll" [ ]
"BM93ea0b69"="C:\WINNT\system32\frcvkusn.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 05:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\tamara\Start Menu\Programs\Startup\
VirtualExpander.lnk - C:\WINNT\system32\VirtualExpander\VirtualExpander.exe [2008-01-11 13:16:50 434176]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"= C:\WINNT\system32\khfCuSig.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfCuSig]
khfCuSig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.ACDV"= ACDV.dll

R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINNT\system32\drivers\GDTdiIcpt.sys [05-12-19 21:39 ]
R3 axsaki;axsaki;C:\WINNT\system32\DRIVERS\axsaki.sys [03-03-30 22:38 ]
R3 axskbus;axskbus;C:\WINNT\system32\DRIVERS\axskbus.sys [03-03-28 12:58 ]
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys [99-09-24 16:55 ]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINNT\system32\DRIVERS\A3AB.sys [05-03-22 20:17 ]
S3 AvFlt;Antivirus Filter Driver;C:\WINNT\system32\drivers\av5flt.sys []



**********
Hijack This
**********
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:24, on 2008-05-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINNT\system32\khfCuSig.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [90d938f5] rundll32.exe "C:\WINNT\system32\kmvuobkn.dll",b
O4 - HKLM\..\Run: [BM93ea0b69] Rundll32.exe "C:\WINNT\system32\frcvkusn.dll",s
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [rebootex] C:\Program Files\RebootEx\rebootw.exe -s
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VirtualExpander.lnk = C:\WINNT\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132292444121
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177881847056
O20 - Winlogon Notify: khfCuSig - khfCuSig.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)

--
End of file - 6160 bytes

Rorschach112
2008-05-27, 17:40
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINNT\system32\ufcxomex.exe
C:\WINNT\BM93ea0b69.xml
C:\WINNT\system32\internat.exe

Folder::

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfCuSig]

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log

Zander
2008-05-27, 18:31
Hi,

I did what you said, and ComboFix.exe gave me an error about this not being a valid registry entry in a dialog warning box - several times, but it continuted on and produced the log, then stopped and explorer.exe did not restart - see below, for output of combofix and hijackthis


************
COMBOFIX LOG
*************

ComboFix 08-05-15.3 - Tamara 2008-05-27 8:00:56.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.69 [GMT -7:00]
Running from: C:\Documents and Settings\tamara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tamara\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\BM93ea0b69.xml
C:\WINNT\system32\internat.exe
C:\WINNT\system32\ufcxomex.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\BM93ea0b69.xml
C:\WINNT\system32\internat.exe
C:\WINNT\system32\ufcxomex.exe
.
---- Previous Run -------
.
C:\WINNT\pskt.ini
C:\WINNT\system32\djlcolqx.exe
C:\WINNT\system32\mVEhPqss.ini
C:\WINNT\system32\mVEhPqss.ini2
C:\WINNT\system32\nkbouvmk.ini
C:\WINNT\system32\ssqPhEVm.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 05:56 . 08-05-27 05:56 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2a8.dat
2008-05-27 05:53 . 08-05-27 05:53 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_21c.dat
2008-05-26 12:32 . 08-05-26 12:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-26 12:32 . 08-05-26 12:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 12:20 . 08-05-26 12:20 0 --a------ C:\WINNT\nsreg.dat
2008-05-26 12:19 . 08-05-26 12:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 09:43 . 08-05-26 09:43 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-05-26 09:43 . 08-05-26 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 21:42 . 08-05-14 21:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-14 21:34 . 08-05-14 21:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-14 18:57 . 08-05-14 18:55 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-05-14 18:55 . 08-05-14 19:09 <DIR> d-------- C:\Documents and Settings\tamara\.housecall6.6
2008-05-12 18:51 . 08-05-14 15:41 121 --a------ C:\WINNT\bdagent.INI
2008-05-12 18:38 . 08-05-12 18:38 <DIR> d-------- C:\Program Files\BitDefender
2008-05-12 18:36 . 08-05-12 18:38 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-12 17:30 . 08-05-12 17:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-12 17:28 . 08-05-14 11:50 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-05-12 17:28 . 08-05-12 17:28 1,409 --a------ C:\WINNT\QTFont.for
2008-05-12 17:23 . 08-05-12 17:23 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-07 20:56 . 08-05-07 20:56 8 --a------ C:\WINNT\sess_73c463470fd0d93bd160324f4ee968cf
2008-05-07 20:55 . 08-05-07 20:55 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-04-30 20:57 . 08-04-30 20:57 <DIR> d-------- C:\Documents and Settings\tamara\Application Data\Brother

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 15:03 --------- d-----w C:\Documents and Settings\tamara\Application Data\Skype
2008-05-13 02:21 81,984 ----a-w C:\WINNT\system32\bdod.bin
2008-05-13 00:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-09 21:10 --------- d-----w C:\Documents and Settings\tamara\Application Data\AdobeUM
2006-05-11 15:45 455 ----a-w C:\Program Files\INSTALL.LOG
2005-11-18 05:30 271 ---h--w C:\Program Files\desktop.ini
2005-11-18 05:30 21,952 ---h--w C:\Program Files\folder.htt
2004-10-01 23:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]
C:\WINNT\system32\khfCuSig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@={E4000AC4-5E5F-4956-807A-C5854405D64F}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 05:00 20752 C:\WINNT\system32\internat.exe]
"rebootex"="C:\Program Files\RebootEx\rebootw.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [08-02-01 17:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 12:50 155648]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [05-03-18 05:34 1228800]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [04-12-16 18:49 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-02-08 18:16 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-02-23 16:45 278528]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 02:11 132496]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [06-10-04 12:38 163840]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [04-11-02 21:24 32768]
"90d938f5"="C:\WINNT\system32\kmvuobkn.dll" [ ]
"BM93ea0b69"="C:\WINNT\system32\frcvkusn.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 05:00 20752 C:\WINNT\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\tamara\Start Menu\Programs\Startup\
VirtualExpander.lnk - C:\WINNT\system32\VirtualExpander\VirtualExpander.exe [2008-01-11 13:16:50 434176]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.ACDV"= ACDV.dll

R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINNT\system32\drivers\GDTdiIcpt.sys [05-12-19 21:39 ]
R3 axsaki;axsaki;C:\WINNT\system32\DRIVERS\axsaki.sys [03-03-30 22:38 ]
R3 axskbus;axskbus;C:\WINNT\system32\DRIVERS\axskbus.sys [03-03-28 12:58 ]
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys [99-09-24 16:55 ]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINNT\system32\DRIVERS\A3AB.sys [05-03-22 20:17 ]
S3 AvFlt;Antivirus Filter Driver;C:\WINNT\system32\drivers\av5flt.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-05-01 01:16:40 C:\WINNT\Tasks\Update iTunes Music Library.job"
- C:\Documents and Settings\tamara\NetHood\My Documents\iTLU.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 08:03:03
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-27 8:05:25
ComboFix-quarantined-files.txt 2008-05-27 15:05:13

Pre-Run: 29,597,188,096 bytes free
Post-Run: 29,590,675,456 bytes free

127 --- E O F --- 2008-03-09 19:56:53


***************
HIJACK THIS LOG
***************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:40 AM, on 27/05/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINNT\system32\khfCuSig.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [90d938f5] rundll32.exe "C:\WINNT\system32\kmvuobkn.dll",b
O4 - HKLM\..\Run: [BM93ea0b69] Rundll32.exe "C:\WINNT\system32\frcvkusn.dll",s
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [rebootex] C:\Program Files\RebootEx\rebootw.exe -s
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VirtualExpander.lnk = C:\WINNT\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132292444121
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177881847056
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)

--
End of file - 6070 bytes
le - 6160 bytes

Rorschach112
2008-05-27, 19:56
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINNT\system32\khfCuSig.dll (file missing)
O4 - HKLM\..\Run: [90d938f5] rundll32.exe "C:\WINNT\system32\kmvuobkn.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\WINNT\system32\frcvkusn.dll",s
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download Malwarebytes' Anti-Malware from [b]Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log and tell me how your PC is running

Zander
2008-05-27, 20:43
Hello,

I followed the instructions, no error messages from either program.

I haven't dared to open internet explorer or firefox, so I can't tell whether it is all fixed yet. Should I try ?

Thank you, thank you.

Logs:


Malwarebytes' Anti-Malware 1.12
Database version: 791

Scan type: Quick Scan
Objects scanned: 32952
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


**********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:33 AM, on 27/05/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [rebootex] C:\Program Files\RebootEx\rebootw.exe -s
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VirtualExpander.lnk = C:\WINNT\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132292444121
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177881847056
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)

--
End of file - 5518 bytes

Rorschach112
2008-05-27, 20:51
Yeah open it up, give it a whirl, tell me how it goes

Zander
2008-05-28, 16:56
Hi,

I gave it a whirl - used firefox, outlook, installed a firewall (it's a win2000 machine so it didn't have one), and the free Avast antivirus scanner.

All is looking good except when browsing last night a "party poker" popup screen appeared. I closed it immediately, and no other popup window appearred. I ran Spybot again, and it only came up with "hitbox" cookies nothing else.

What do you think?

Rorschach112
2008-05-28, 19:06
I wouldn't worry about that, say it came from a site

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png




Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts. Make sure you are only running one real-time protection program or there will be a conflict.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.