PDA

View Full Version : Virtumonde troubles



kcmicull
2008-06-21, 03:39
Working on my Mom's computer pop-ups jumping all over - dl & ran Spybot cleaned all Virtumonde popped up on the reboot scan - read about it & here I am. She is using AVG Free version, but it was not updated and my sister had just intro'd Mom to Lime Wire - (Bad Idea - IMHO). I have updated AVG and am working on getting her a licence for "CA" Security suite.

In the meantime, I am trying to get her computer freed of Virtumonde. I would sincerely appreciate any help I can, Mom appreciates it too.

Have run Spybot per instructions in the forum "Read this..."

Here is the HJThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:32 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\Program Files\Canon\MyPrinter\BJMyPrt.exe
F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Documents and Settings\Barbara Young\lsass.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\winlogon.exe
F:\Program Files\Remote Desktop\WebtopRDA.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
F:\WINDOWS\system32\RDSHOST.exe
F:\WINDOWS\system32\sessmgr.exe
F:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Barbara Young\Desktop\HiJackThis.exe

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {05A5D972-BADC-4768-8C6B-98A9879E1480} - F:\WINDOWS\system32\opnlKCVl.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56EFA2C8-5C55-4459-A123-B6356536C8EF} - F:\WINDOWS\system32\wvUmmLfE.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {72139140-392a-f48b-e494-aac7861c0c6b} - {b6c0c168-7caa-494e-b84f-a29304193127} - F:\WINDOWS\system32\tppltjqd.dll
O2 - BHO: (no name) - {FD2114A6-01DF-48E2-8153-682EE00FDEAF} - F:\WINDOWS\system32\rqRKCspP.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HP Lamp] F:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CanonMyPrinter] F:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [eFax 4.3] "F:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Remote Desktop Agent] "F:\Program Files\Remote Desktop\WebtopRDA.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LSA Shellu] F:\Documents and Settings\Barbara Young\lsass.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM0b60b5aa] Rundll32.exe "F:\WINDOWS\system32\jfjuqawt.dll",s
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmileboxTray] "F:\Documents and Settings\Barbara Young\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-329068152-2111687655-1708537768-1005\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background (User 'Jerry Young')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: eFax 4.3.lnk = F:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.bssd.net
O15 - Trusted Zone: http://www.mcpl.lib.mo.us
O15 - Trusted IP range: http://204.185.144.211
O16 - DPF: {03CC02A3-6098-4D0E-89D9-71041E7F5F86} (WTPClient Class) - https://secure2.positivenetworks.net/webtop/OCX/59.4/WTP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.cmphotocenter.com/is/BPImageEditor.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotocenter.com/is/DragDropUploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: rqRKCspP - F:\WINDOWS\SYSTEM32\rqRKCspP.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Positive Networks Remote Desktop Agent (winvnc) - Positive Networks - F:\Program Files\Remote Desktop\WebtopRDA.exe

--
End of file - 9928 bytes

Blade81
2008-06-22, 01:09
Hi kcmicull :)

Please uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean :)

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

kcmicull
2008-06-22, 04:27
Here are the logs as requested - again I appreciate your assistance.

ComboFix 08-06-20.4 - Barbara Young 2008-06-21 19:56:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.303 [GMT -5:00]
Running from: F:\Documents and Settings\Barbara Young\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\BM0b60b5aa.xml
F:\WINDOWS\cookies.ini
F:\WINDOWS\pskt.ini
F:\WINDOWS\system32\BeKTAJjl.ini
F:\WINDOWS\system32\BeKTAJjl.ini2
F:\WINDOWS\system32\cyspdccv.ini
F:\WINDOWS\system32\EfLmmUvw.ini
F:\WINDOWS\system32\EfLmmUvw.ini2
F:\WINDOWS\system32\heydfxsr.dll
F:\WINDOWS\system32\JjQBKRqr.ini
F:\WINDOWS\system32\JjQBKRqr.ini2
F:\WINDOWS\system32\jyjdrrqv.dll
F:\WINDOWS\system32\lVCKlnpo.ini
F:\WINDOWS\system32\lVCKlnpo.ini2
F:\WINDOWS\system32\mcrh.tmp
F:\WINDOWS\system32\MSINET.oca
F:\WINDOWS\system32\onydfedm.ini
F:\WINDOWS\system32\pac.txt
F:\WINDOWS\system32\rqRJDtUN.dll
F:\WINDOWS\system32\rqRKCspP.dll
F:\WINDOWS\system32\sffijfre.ini
F:\WINDOWS\system32\tfanqwgo.ini
F:\WINDOWS\system32\wblfisro.ini
F:\WINDOWS\system32\wqyqlvhg.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-21 20:12 . 2008-06-21 20:13 110,419 --a------ F:\WINDOWS\BM0b60b5aa.xml
2008-06-21 19:53 . 2008-06-21 19:53 301,568 --a------ F:\WINDOWS\system32\rqRKBQjJ.dll
2008-06-21 19:29 . 2008-06-21 19:29 122,368 --a------ F:\WINDOWS\system32\orsiflbw.dll
2008-06-21 19:26 . 2008-06-21 19:26 130,560 --a------ F:\WINDOWS\system32\ntxqsdfj.dll
2008-06-21 19:23 . 2008-06-21 19:23 128,512 --a------ F:\WINDOWS\system32\hehlhymq.dll
2008-06-21 19:20 . 2008-06-21 19:20 130,560 --a------ F:\WINDOWS\system32\ngbikgvn.dll
2008-06-21 19:17 . 2008-06-21 19:17 123,392 --a------ F:\WINDOWS\system32\ulknujue.dll
2008-06-20 19:44 . 2008-06-20 19:44 120,320 --a------ F:\WINDOWS\system32\ghvlqyqw.dll
2008-06-20 19:41 . 2008-06-20 19:41 132,608 --a------ F:\WINDOWS\system32\khcklshl.dll
2008-06-20 19:40 . 2008-06-20 19:40 123,392 --a------ F:\WINDOWS\system32\hisxihkg.dll
2008-06-20 19:38 . 2008-06-20 19:38 301,568 --a------ F:\WINDOWS\system32\ljJATKeB.dll
2008-06-20 19:02 . 2008-06-20 19:02 120,320 --a------ F:\WINDOWS\system32\erfjiffs.dll
2008-06-20 18:59 . 2008-06-20 18:59 132,608 --a------ F:\WINDOWS\system32\tppltjqd.dll
2008-06-20 18:58 . 2008-06-20 18:58 123,392 --a------ F:\WINDOWS\system32\jfjuqawt.dll
2008-06-20 13:22 . 2008-06-15 11:13 52,224 ---hs---- F:\Documents and Settings\Jerry Young\lsass.exe
2008-06-16 22:23 . 2008-06-16 22:23 300,544 --a------ F:\WINDOWS\system32\opnlKCVl.dll_old
2008-06-16 20:12 . 2008-06-17 14:48 211 --a------ F:\WINDOWS\wininit.ini
2008-06-16 17:08 . 2008-06-21 19:47 <DIR> d-------- F:\Program Files\Spybot - Search & Destroy
2008-06-16 17:08 . 2008-06-21 19:41 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 17:03 . 2008-06-16 17:04 <DIR> d-------- F:\WINDOWS\system32\netrax18
2008-06-15 17:01 . 2004-08-04 07:00 221,184 --a------ F:\WINDOWS\system32\wmpns.dll
2008-06-15 16:59 . 2008-06-15 16:59 <DIR> d-------- F:\Program Files\Windows Media Connect 2
2008-06-15 16:54 . 2008-06-15 22:47 <DIR> d-------- F:\WINDOWS\system32\drivers\UMDF
2008-06-15 11:13 . 2008-06-15 11:13 <DIR> d-------- F:\WINDOWS\system32\netrax05
2008-06-15 11:13 . 2008-06-15 11:13 52,224 ---hs---- F:\Documents and Settings\Barbara Young\lsass.exe
2008-06-14 17:33 . 2008-06-14 17:34 <DIR> d-------- F:\Program Files\QuickTime
2008-06-11 01:43 . 2008-04-14 06:01 272,128 --a------ F:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 01:43 . 2008-04-14 06:01 272,128 -----c--- F:\WINDOWS\system32\dllcache\bthport.sys
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ F:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ F:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 21:35 --------- d-----w F:\Documents and Settings\Barbara Young\Application Data\AVG7
2008-06-21 00:01 1,864 ----a-w F:\WINDOWS\pchealth\helpctr\Config\incstore.bin
2008-06-20 19:38 --------- d-----w F:\Documents and Settings\All Users\Application Data\Avg7
2008-06-20 18:24 --------- d-----w F:\Documents and Settings\Jerry Young\Application Data\AVG7
2008-06-16 21:58 --------- d-----w F:\Program Files\Google
2008-06-16 21:30 --------- d-----w F:\Program Files\Common Files\Adobe
2008-06-16 19:15 --------- d-----w F:\Documents and Settings\Barbara Young\Application Data\LimeWire
2008-06-16 17:03 --------- d-----w F:\Program Files\LimeWire
2008-06-16 16:40 --------- d-----w F:\Documents and Settings\Jerry Young\Application Data\Lavasoft
2008-06-14 22:31 --------- d-----w F:\Program Files\Apple Software Update
2008-06-07 23:31 --------- d-----w F:\Documents and Settings\Barbara Young\Application Data\Smilebox
2008-05-19 16:39 --------- d-----w F:\Program Files\Yahoo!
2008-05-08 12:28 202,752 ----a-w F:\WINDOWS\system32\drivers\rmcast.sys
2008-05-02 01:36 --------- d-----w F:\Program Files\RCA
2008-04-27 04:38 --------- d-----w F:\Program Files\Three Rings Design
2008-04-24 17:05 --------- d-----w F:\Program Files\Microsoft Picture It! 7
2007-08-26 19:41 389,120 ----a-w F:\Documents and Settings\All Users\Application Data\support.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A5D972-BADC-4768-8C6B-98A9879E1480}]
F:\WINDOWS\system32\opnlKCVl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56EFA2C8-5C55-4459-A123-B6356536C8EF}]
F:\WINDOWS\system32\wvUmmLfE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{954898D4-0CF8-4062-A356-A22CA120365D}]
2008-06-21 19:53 301568 --a------ F:\WINDOWS\system32\rqRKBQjJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AnnotatedJpgOverlay]
@={846F1C20-3769-4659-BFDC-088B51FBFBD8}

[HKEY_CLASSES_ROOT\CLSID\{846F1C20-3769-4659-BFDC-088B51FBFBD8}]
2006-08-29 05:38 233472 --a------ F:\Program Files\FotoTagger\FotoTaggerToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SmileboxTray"="F:\Documents and Settings\Barbara Young\Application Data\Smilebox\SmileboxTray.exe" [2008-05-19 15:06 201352]
"Yahoo! Pager"="F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Lamp"="F:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 02:00 42496]
"NeroFilterCheck"="F:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="F:\Program Files\Ahead\InCD\InCD.exe" [2004-10-18 07:14 1315840]
"Microsoft Works Update Detection"="F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 21:45 28672]
"CanonMyPrinter"="F:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 20:30 1191936]
"SSBkgdUpdate"="F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 01:14 155648]
"OpwareSE4"="F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 14:19 69632]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 11:09 579584]
"eFax 4.3"="F:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"Remote Desktop Agent"="F:\Program Files\Remote Desktop\WebtopRDA.exe" [2007-08-26 10:30 880640]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"Adobe Photo Downloader"="F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="F:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"BM0b60b5aa"="F:\WINDOWS\system32\iyeswqcl.dll" [2008-06-21 19:54 128512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 11:11 219136]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - F:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-04-19 14:38:49 629248]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\Remote Desktop\\WebtopRDA.exe"=
"F:\\WINDOWS\\system32\\dpvsetup.exe"=
"F:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;F:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;F:\WINDOWS\system32\DRIVERS\sustucam.sys [2006-04-12 12:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41fc9923-3dfa-11db-992e-000f666fc181}]
\Shell\Auto\command - L:\Start.exe
\Shell\AutoRun\command - F:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee2a6320-f9a6-11db-996c-000f666fc181}]
\Shell\AutoRun\command - H:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 21:08:45 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 20:12:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: F:\WINDOWS\explorer.exe
-> F:\WINDOWS\system32\iyeswqcl.dll
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\system32\sessmgr.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-06-21 20:17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 01:17:00

Pre-Run: 9,071,144,960 bytes free
Post-Run: 10,516,606,976 bytes free

189 --- E O F --- 2008-06-13 06:08:30


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:52 PM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Remote Desktop\WebtopRDA.exe
F:\WINDOWS\system32\sessmgr.exe
F:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\Program Files\Canon\MyPrinter\BJMyPrt.exe
F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\WINDOWS\system32\Rundll32.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Documents and Settings\Barbara Young\Application Data\Smilebox\SmileboxTray.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\RDSHOST.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
F:\Documents and Settings\Barbara Young\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {05A5D972-BADC-4768-8C6B-98A9879E1480} - F:\WINDOWS\system32\opnlKCVl.dll (file missing)
O2 - BHO: (no name) - {56EFA2C8-5C55-4459-A123-B6356536C8EF} - F:\WINDOWS\system32\wvUmmLfE.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {954898D4-0CF8-4062-A356-A22CA120365D} - F:\WINDOWS\system32\rqRKBQjJ.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HP Lamp] F:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CanonMyPrinter] F:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [eFax 4.3] "F:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Remote Desktop Agent] "F:\Program Files\Remote Desktop\WebtopRDA.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM0b60b5aa] Rundll32.exe "F:\WINDOWS\system32\iyeswqcl.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmileboxTray] "F:\Documents and Settings\Barbara Young\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: eFax 4.3.lnk = F:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.bssd.net
O15 - Trusted Zone: http://www.mcpl.lib.mo.us
O15 - Trusted IP range: http://204.185.144.211
O16 - DPF: {03CC02A3-6098-4D0E-89D9-71041E7F5F86} (WTPClient Class) - https://secure2.positivenetworks.net/webtop/OCX/59.4/WTP.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.cmphotocenter.com/is/BPImageEditor.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.cmphotocenter.com/is/DragDropUploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Positive Networks Remote Desktop Agent (winvnc) - Positive Networks - F:\Program Files\Remote Desktop\WebtopRDA.exe

--
End of file - 9170 bytes

Blade81
2008-06-22, 12:07
Hi


Start hjt, do a system scan, check:
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:



File::
F:\WINDOWS\BM0b60b5aa.xml
F:\WINDOWS\system32\rqRKBQjJ.dll
F:\WINDOWS\system32\orsiflbw.dll
F:\WINDOWS\system32\ntxqsdfj.dll
F:\WINDOWS\system32\hehlhymq.dll
F:\WINDOWS\system32\ngbikgvn.dll
F:\WINDOWS\system32\ulknujue.dll
F:\WINDOWS\system32\ghvlqyqw.dll
F:\WINDOWS\system32\khcklshl.dll
F:\WINDOWS\system32\hisxihkg.dll
F:\WINDOWS\system32\ljJATKeB.dll
F:\WINDOWS\system32\erfjiffs.dll
F:\WINDOWS\system32\tppltjqd.dll
F:\WINDOWS\system32\jfjuqawt.dll
F:\Documents and Settings\Jerry Young\lsass.exe
F:\WINDOWS\system32\opnlKCVl.dll_old
F:\Documents and Settings\Barbara Young\lsass.exe

Folder::
F:\WINDOWS\system32\netrax18
F:\WINDOWS\system32\netrax05

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A5D972-BADC-4768-8C6B-98A9879E1480}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56EFA2C8-5C55-4459-A123-B6356536C8EF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{954898D4-0CF8-4062-A356-A22CA120365D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM0b60b5aa"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41fc9923-3dfa-11db-992e-000f666fc181}]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

Blade81
2008-06-28, 14:32
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.