PDA

View Full Version : Ok i've been up for 32 hours, i need help



mightymike
2009-02-08, 23:55
This seems to be the culprit,

O2 - BHO: (no name) - {9D646A4A-9F89-4749-9F68-4BDA3EEE7292} - C:\WINNT\system32\opnmNFXn.dll

Can't delete the file or registry entry, the entry just returns and the file doesn't allow me access, Spybot Search and Destroy glitches on a Zlob.downloader.miu identification...

what more can i tell you?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:02 PM, on 2/8/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\nbkbqylz\nbkbqylz.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\nbkbqylz\nbkbqylz.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9D646A4A-9F89-4749-9F68-4BDA3EEE7292} - C:\WINNT\system32\opnmNFXn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: View EXIF - C:\ViewEXIF\EXIF.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\nbkbqylz\nbkbqylz.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5391 bytes

Sorry for not posting without removing the word wrap... do you wish for me to post again? properly?

peku006
2009-02-12, 20:54
Hello and welcome to Safer Networking.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Move HiJackThis to its own folder
Your HiJackThis program is currently located at C:\hijackthis.exe
Create a new folder C:\HJT or C:\Program Files\HJT
Move HiJackThis to the new folder

2 - Scan With ComboFix

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)

Please include the C:\ComboFix.txt in your next reply for further review.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

mightymike
2009-02-13, 00:48
ComboFix 09-02-12.03 - Administrator 02/12/2009 17:36:28.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.496 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\winnt\system32\drivers\npf.sys
c:\winnt\system32\jadosulc.dll
c:\winnt\system32\nXFNmnpo.ini
c:\winnt\system32\nXFNmnpo.ini2
c:\winnt\system32\packet.dll
c:\winnt\system32\pthreadVC.dll
c:\winnt\system32\upbvpr.dll
c:\winnt\system32\vtpdaqyx.ini
c:\winnt\system32\wpcap.dll
c:\winnt\system32\xyqadptv.dll
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-12 17:25 . 09-02-12 17:26 2,921,379 --a------ C:\ComboFix.exe
2009-02-12 17:19 . 09-02-12 17:19 <DIR> d-------- C:\HJT
2009-02-08 14:31 . 09-02-08 14:31 110 --a------ C:\backup-20090208-143128-902
2009-02-08 14:30 . 09-02-08 14:30 1,003 --a------ C:\backup-20090208-143055-160
2009-02-08 09:07 . 09-02-08 09:07 <DIR> d-------- c:\program files\nbkbqylz
2009-02-08 09:07 . 09-02-12 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-08 09:07 . 09-02-08 09:07 21,512 --a------ c:\winnt\system32\drivers\pxscan.sys
2009-02-08 08:21 . 09-02-08 08:21 163 --a------ C:\backup-20090208-082115-880
2009-02-08 08:21 . 09-02-08 08:21 110 --a------ C:\backup-20090208-082138-721
2009-02-08 08:20 . 09-02-08 08:20 110 --a------ C:\backup-20090208-082032-345
2009-02-08 08:16 . 09-02-08 08:16 0 --a------ c:\winnt\system32\hello
2009-02-08 07:39 . 09-02-08 07:39 110 --a------ C:\backup-20090208-073937-130
2009-02-08 07:19 . 09-02-08 07:19 110 --a------ C:\backup-20090208-071956-155
2009-02-08 07:17 . 09-02-08 07:17 110 --a------ C:\backup-20090208-071758-598
2009-02-08 06:54 . 09-02-08 06:54 2,082 --ahs---- c:\winnt\system32\nXFNmnpo.ini.2
2009-02-08 03:19 . 09-02-08 03:19 137 --a------ C:\backup-20090208-031927-249
2009-02-08 03:19 . 09-02-08 03:19 110 --a------ C:\backup-20090208-031927-911
2009-02-08 03:19 . 09-02-08 03:19 69 --a------ C:\backup-20090208-031927-691
2009-02-08 01:45 . 09-02-12 17:38 2,188 --a------ c:\winnt\disdayrp
2009-02-08 01:45 . 09-02-08 06:56 2,082 --ahs---- c:\winnt\system32\nXFNmnpo.ini.x
2009-02-08 01:37 . 09-02-08 13:34 <DIR> d-------- C:\acr-temp
2009-02-08 01:36 . 09-02-08 01:36 6,149,928 --a------ C:\DNG_Camera_Raw_4_2.zip
2009-02-08 01:12 . 09-02-08 01:12 <DIR> d-------- c:\program files\AskSearch
2009-02-08 01:12 . 09-02-08 01:12 <DIR> d-------- c:\program files\AskBarDis
2009-02-08 01:11 . 09-02-08 01:12 1,754,496 --a------ C:\BitTorrent-6.1.2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 22:40 --------- d---a-w c:\documents and settings\All Users\Application Data\avg7
2009-02-08 19:52 401,720 ----a-w C:\HijackThis.exe
2009-02-08 14:16 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-02-08 08:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-08 06:12 --------- d-----w c:\program files\BitTorrent
2009-02-08 06:06 --------- d-----w c:\program files\eMule
2009-02-05 05:40 --------- d-----w c:\program files\FTP Commander
2008-12-18 02:33 --------- d-----w c:\program files\Qimage
2008-01-07 05:50 733 ----a-w c:\program files\Common Files\Exif.Cfg
2008-01-07 05:50 2,255 ----a-w c:\program files\Common Files\ExifVgl.Cfg
2008-01-07 05:50 2,255 ----a-w c:\program files\Common Files\ExifExc.cfg
2008-01-07 05:50 14,790 ----a-w c:\program files\Common Files\Kamera2.Cfg
2008-01-07 05:48 3 ----a-w c:\program files\Common Files\Exif Viewer.Jpg
2006-08-03 00:17 3,792,597 ----a-w c:\program files\Common Files\exif.xls
2005-09-18 05:55 2,255 ----a-w c:\program files\Common Files\dffdg.vgl
2005-08-30 23:04 8,628 ---ha-w c:\program files\Common Files\Exif Viewer.GID
2005-08-30 23:03 8,628 ---ha-w c:\program files\Common Files\Exif Glossar.GID
2005-03-12 18:49 609,358 ----a-w c:\program files\Common Files\EXIF Viewer.HLP
2005-03-12 18:39 1,347,584 ----a-w c:\program files\Common Files\EXIF Viewer.exe
2005-02-03 22:45 26,097 ----a-w c:\program files\Common Files\TIF.jpg
2004-08-19 21:40 29,532 ----a-w c:\program files\Common Files\Nikon.jpg
2003-01-30 12:08 271 ---h--w c:\program files\desktop.ini
2003-01-30 12:08 21,952 ---h--w c:\program files\folder.htt
2002-09-17 15:20 35,456 ----a-w c:\program files\Common Files\EXIF Glossar.HLP
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [01-07-09 11:50 155648]
"MaxBlastMonitor.exe"="c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [07-08-08 16:26 1169440]
"AcronisTimounterMonitor"="c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe" [07-08-08 16:39 1945448]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [07-08-08 16:31 148760]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [08-12-15 03:32 590848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [08-01-08 19:42 98304]
"PrevxCSI"="c:\program files\nbkbqylz\nbkbqylz.exe" [09-02-08 09:07 4107832]
"AtiPTA"="atiptaxx.exe" [02-07-25 04:04 290816 c:\winnt\system32\atiptaxx.exe]
"SoundMan"="SOUNDMAN.EXE" [02-03-20 21:23 46592 c:\winnt\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [07-12-11 01:28 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-27 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-27 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\eudora\EuShlExt.dll" [01-04-12 18:05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=upbvpr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.ACDV"= ACDV.dll

R?2 CSIScanner;CSIScanner;c:\program files\nbkbqylz\nbkbqylz.exe [2009-02-08 4107832]
R0 HPT302;HPT302;c:\winnt\system32\drivers\HPT302.sys [2002-12-23 22867]
R0 hptpro;hptpro;c:\winnt\system32\drivers\hptpro.sys [2002-12-10 9809]
R0 pxscan;pxscan;c:\winnt\system32\drivers\pxscan.sys [2009-02-08 21512]
R1 Avg7RsNT;AVG7 Resident Driver NT;c:\winnt\system32\drivers\avg7rsnt.sys [2007-12-11 26944]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [2002-06-21 359135]
R3 EL910;3Com 3CSOHO100B-TX PCI;c:\winnt\system32\drivers\EL910ND5.sys [2002-05-29 38400]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-04-19 49776]
S0 disdayrp;disdayrp;c:\winnt\system32\drivers\szrmnutu.sys []
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2003-01-30 61712]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [02-08-07 08:04 ]
.
- - - - ORPHANS REMOVED - - - -

BHO-{070661c5-3984-4c6a-9118-eef68efb9929} - c:\winnt\system32\upbvpr.dll
BHO-{9D646A4A-9F89-4749-9F68-4BDA3EEE7292} - c:\winnt\system32\opnmNFXn.dll
HKCU-Run-Start WingMan Profiler - (no file)
HKLM-Run-7cffbc58 - c:\winnt\system32\xyqadptv.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: View EXIF - c:\viewexif\EXIF.htm
LSP: %SystemRoot%\system32\msafd.dll
Name-Space Handler: ftp\FVLink.IELinkMonitor - {EE4303CB-EA2E-4020-8827-3B0C948BC5C9} - c:\program files\RhinoSoft.com\FTP Voyager1\FVLink.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 17:41:42
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\drivers\szrmnutu.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(444)
c:\winnt\system32\msv1_0.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-02-12 17:43:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 22:43:00

Pre-Run: 12,204,236,800 bytes free
Post-Run: 14,967,635,968 bytes free

168



------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:53 PM, on 2/12/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\nbkbqylz\nbkbqylz.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\nbkbqylz\nbkbqylz.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\nbkbqylz\nbkbqylz.exe" /bootupreg
O4 - HKLM\..\Run: [7cffbc58] rundll32.exe "C:\WINNT\system32\iwudsrgm.dll",b
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: View EXIF - C:\ViewEXIF\EXIF.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: upbvpr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\nbkbqylz\nbkbqylz.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5937 bytes

peku006
2009-02-13, 11:42
Hi mightymike

You didn't put Hijackthis to its own folder... Like I already said: "Put Hijackthis to its won folder; C:/Hijackthis/Hijackthis.exe This is importatnt for the backups!"

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent

I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

1 - Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [7cffbc58] rundll32.exe "C:\WINNT\system32\iwudsrgm.dll",b
O20 - AppInit_DLLs: upbvpr.dll


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

2 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\winnt\system32\nXFNmnpo.ini.2
c:\winnt\disdayrp
c:\winnt\system32\nXFNmnpo.ini.x
c:\winnt\system32\drivers\szrmnutu.sys
C:\WINNT\system32\iwudsrgm.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Driver::
disdayrp


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Thanks peku006

mightymike
2009-02-13, 23:45
ComboFix 09-02-12.03 - Administrator 02/13/2009 8:28:11.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.646 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\disdayrp
c:\winnt\system32\drivers\szrmnutu.sys
c:\winnt\system32\iwudsrgm.dll
c:\winnt\system32\nXFNmnpo.ini.2
c:\winnt\system32\nXFNmnpo.ini.x
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\disdayrp
c:\winnt\system32\clcczz.dll
c:\winnt\system32\dnghmnox.dll
c:\winnt\system32\drivers\jxcvinbb.sys
c:\winnt\system32\iwudsrgm.dll
c:\winnt\system32\mgrsduwi.ini
c:\winnt\system32\nnbrchsn.dll
c:\winnt\system32\nXFNmnpo.ini
c:\winnt\system32\nXFNmnpo.ini.2
c:\winnt\system32\nXFNmnpo.ini.x
c:\winnt\system32\nXFNmnpo.ini2
c:\winnt\system32\xonmhgnd.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DISDAYRP
-------\Service_disdayrp


((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-12 17:25 . 09-02-12 17:26 2,921,379 --a------ C:\ComboFix.exe
2009-02-12 17:19 . 09-02-13 08:24 <DIR> d-------- C:\hijackthis
2009-02-08 14:31 . 09-02-08 14:31 110 --a------ C:\backup-20090208-143128-902
2009-02-08 14:30 . 09-02-08 14:30 1,003 --a------ C:\backup-20090208-143055-160
2009-02-08 09:07 . 09-02-08 09:07 <DIR> d-------- c:\program files\nbkbqylz
2009-02-08 09:07 . 09-02-12 18:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-08 09:07 . 09-02-08 09:07 21,512 --a------ c:\winnt\system32\drivers\pxscan.sys
2009-02-08 08:21 . 09-02-08 08:21 163 --a------ C:\backup-20090208-082115-880
2009-02-08 08:21 . 09-02-08 08:21 110 --a------ C:\backup-20090208-082138-721
2009-02-08 08:20 . 09-02-08 08:20 110 --a------ C:\backup-20090208-082032-345
2009-02-08 08:16 . 09-02-08 08:16 0 --a------ c:\winnt\system32\hello
2009-02-08 07:39 . 09-02-08 07:39 110 --a------ C:\backup-20090208-073937-130
2009-02-08 07:19 . 09-02-08 07:19 110 --a------ C:\backup-20090208-071956-155
2009-02-08 07:17 . 09-02-08 07:17 110 --a------ C:\backup-20090208-071758-598
2009-02-08 03:19 . 09-02-08 03:19 137 --a------ C:\backup-20090208-031927-249
2009-02-08 03:19 . 09-02-08 03:19 110 --a------ C:\backup-20090208-031927-911
2009-02-08 03:19 . 09-02-08 03:19 69 --a------ C:\backup-20090208-031927-691
2009-02-08 01:45 . 09-02-08 01:45 302,592 -rah----- c:\winnt\system32\opnmNFXn.dll
2009-02-08 01:45 . 09-02-08 01:45 25,088 --a------ c:\winnt\system32\drivers\szrmnutu.sys
2009-02-08 01:37 . 09-02-08 13:34 <DIR> d-------- C:\acr-temp
2009-02-08 01:36 . 09-02-08 01:36 6,149,928 --a------ C:\DNG_Camera_Raw_4_2.zip
2009-02-08 01:12 . 09-02-08 01:12 <DIR> d-------- c:\program files\AskSearch
2009-02-08 01:11 . 09-02-08 01:12 1,754,496 --a------ C:\BitTorrent-6.1.2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 13:31 --------- d---a-w c:\documents and settings\All Users\Application Data\avg7
2009-02-13 13:09 --------- d-----w c:\program files\BitTorrent
2009-02-08 14:16 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-02-08 08:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-08 06:06 --------- d-----w c:\program files\eMule
2009-02-05 05:40 --------- d-----w c:\program files\FTP Commander
2008-12-18 02:33 --------- d-----w c:\program files\Qimage
2008-01-07 05:50 733 ----a-w c:\program files\Common Files\Exif.Cfg
2008-01-07 05:50 2,255 ----a-w c:\program files\Common Files\ExifVgl.Cfg
2008-01-07 05:50 2,255 ----a-w c:\program files\Common Files\ExifExc.cfg
2008-01-07 05:50 14,790 ----a-w c:\program files\Common Files\Kamera2.Cfg
2008-01-07 05:48 3 ----a-w c:\program files\Common Files\Exif Viewer.Jpg
2006-08-03 00:17 3,792,597 ----a-w c:\program files\Common Files\exif.xls
2005-09-18 05:55 2,255 ----a-w c:\program files\Common Files\dffdg.vgl
2005-08-30 23:04 8,628 ---ha-w c:\program files\Common Files\Exif Viewer.GID
2005-08-30 23:03 8,628 ---ha-w c:\program files\Common Files\Exif Glossar.GID
2005-03-12 18:49 609,358 ----a-w c:\program files\Common Files\EXIF Viewer.HLP
2005-03-12 18:39 1,347,584 ----a-w c:\program files\Common Files\EXIF Viewer.exe
2005-02-03 22:45 26,097 ----a-w c:\program files\Common Files\TIF.jpg
2004-08-19 21:40 29,532 ----a-w c:\program files\Common Files\Nikon.jpg
2003-01-30 12:08 271 ---h--w c:\program files\desktop.ini
2003-01-30 12:08 21,952 ---h--w c:\program files\folder.htt
2002-09-17 15:20 35,456 ----a-w c:\program files\Common Files\EXIF Glossar.HLP
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4B1904A-B8E8-4C6D-A4A1-EE40DE7CFF39}]
09-02-08 01:45 302592 -rah----- c:\winnt\system32\opnmNFXn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [01-07-09 11:50 155648]
"MaxBlastMonitor.exe"="c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [07-08-08 16:26 1169440]
"AcronisTimounterMonitor"="c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe" [07-08-08 16:39 1945448]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [07-08-08 16:31 148760]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [08-12-15 03:32 590848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [08-01-08 19:42 98304]
"PrevxCSI"="c:\program files\nbkbqylz\nbkbqylz.exe" [09-02-08 09:07 4107832]
"7cffbc58"="c:\winnt\system32\dnghmnox.dll" [BU]
"AtiPTA"="atiptaxx.exe" [02-07-25 04:04 290816 c:\winnt\system32\atiptaxx.exe]
"SoundMan"="SOUNDMAN.EXE" [02-03-20 21:23 46592 c:\winnt\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [07-12-11 01:28 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-27 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-27 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\eudora\EuShlExt.dll" [01-04-12 18:05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.ACDV"= ACDV.dll

R?2 CSIScanner;CSIScanner;c:\program files\nbkbqylz\nbkbqylz.exe [2009-02-08 4107832]
R0 HPT302;HPT302;c:\winnt\system32\drivers\HPT302.sys [2002-12-23 22867]
R0 hptpro;hptpro;c:\winnt\system32\drivers\hptpro.sys [2002-12-10 9809]
R0 pxscan;pxscan;c:\winnt\system32\drivers\pxscan.sys [2009-02-08 21512]
R1 Avg7RsNT;AVG7 Resident Driver NT;c:\winnt\system32\drivers\avg7rsnt.sys [2007-12-11 26944]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [2002-06-21 359135]
R3 EL910;3Com 3CSOHO100B-TX PCI;c:\winnt\system32\drivers\EL910ND5.sys [2002-05-29 38400]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-04-19 49776]
S0 nonfcpiu;nonfcpiu;c:\winnt\system32\drivers\siiknhus.sys --> c:\winnt\system32\drivers\siiknhus.sys [?]
S0 tirhpawb;tirhpawb;c:\winnt\system32\drivers\jxcvinbb.sys --> c:\winnt\system32\drivers\jxcvinbb.sys [?]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2003-01-30 61712]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [02-08-07 08:04 ]
.
- - - - ORPHANS REMOVED - - - -

BHO-{32acd154-c586-4203-8eea-a40cac18d0e8} - c:\winnt\system32\clcczz.dll


.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: View EXIF - c:\viewexif\EXIF.htm
LSP: %SystemRoot%\system32\msafd.dll
Name-Space Handler: ftp\FVLink.IELinkMonitor - {EE4303CB-EA2E-4020-8827-3B0C948BC5C9} - c:\program files\RhinoSoft.com\FTP Voyager1\FVLink.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 08:33:06
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(440)
c:\winnt\system32\msv1_0.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-02-13 8:34:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-13 13:34:27
ComboFix2.txt 2009-02-12 22:43:05

Pre-Run: 14,972,461,056 bytes free
Post-Run: 14,965,596,160 bytes free

165

------------------------------------------

Malwarebytes' Anti-Malware 1.34
Database version: 1757
Windows 5.0.2195 Service Pack 4

2/13/2009 4:36:12 PM
mbam-log-2009-02-13 (16-36-12).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|M:\|N:\|Q:\|)
Objects scanned: 286297
Time elapsed: 1 hour(s), 2 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\opnmNFXn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\vjyqhvgj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ltmesumd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ozqebc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\niqwli.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318a12c9-b781-4a2d-8387-641215263b33} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{318a12c9-b781-4a2d-8387-641215263b33} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\itvagxbe (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itvagxbe (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cffbc58 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\niqwli.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\opnmNFXn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\vjyqhvgj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ltmesumd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ozqebc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0CPBCCER\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINNT\system32\drivers\jxcvinbb.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\pnylimwz.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINNT\system32\drivers\szrmnutu.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\pydhcamk.dll (Trojan.Agent) -> Delete on reboot.
C:\winamp508_full_emusic-7plus.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WinPcap_3_0.exe (Trojan.Agent) -> Quarantined and deleted successfully.


------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:13 PM, on 2/13/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {830A836B-8674-49AF-BC33-2B2A8BABCA30} - C:\WINNT\system32\opnmNFXn.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\nbkbqylz\nbkbqylz.exe" /bootupreg
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: View EXIF - C:\ViewEXIF\EXIF.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: niqwli.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\nbkbqylz\nbkbqylz.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5754 bytes

peku006
2009-02-14, 09:30
Hi mightymike

1 - Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


O2 - BHO: (no name) - {830A836B-8674-49AF-BC33-2B2A8BABCA30} - C:\WINNT\system32\opnmNFXn.dll (file missing)
O20 - AppInit_DLLs: niqwli.dll


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

2 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\winnt\system32\drivers\siiknhus.sys
c:\winnt\system32\drivers\jxcvinbb.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4B1904A-B8E8-4C6D-A4A1-EE40DE7CFF39}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7cffbc58"=-

Driver::
nonfcpiu
tirhpawb


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

mightymike
2009-02-14, 15:00
ComboFix 09-02-12.03 - Administrator 02/14/2009 7:50:26.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.778 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\system32\drivers\jxcvinbb.sys
c:\winnt\system32\drivers\siiknhus.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp1.tmp
c:\winnt\system32\kmachdyp.ini
c:\winnt\system32\nXFNmnpo.ini
c:\winnt\system32\nXFNmnpo.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_nonfcpiu
-------\Service_tirhpawb


((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-14 07:43 . 09-02-14 07:43 745,662 ---h----- c:\winnt\ShellIconCache
2009-02-13 08:37 . 09-02-13 08:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 08:37 . 09-02-13 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-13 08:37 . 09-02-13 08:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-13 08:37 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-13 08:37 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-02-13 08:34 . 09-02-13 16:37 1,096 --a------ c:\winnt\itvagxbe
2009-02-12 17:25 . 09-02-12 17:26 2,921,379 --a------ C:\ComboFix.exe
2009-02-12 17:19 . 09-02-14 07:48 <DIR> d-------- C:\hijackthis
2009-02-08 14:31 . 09-02-08 14:31 110 --a------ C:\backup-20090208-143128-902
2009-02-08 14:30 . 09-02-08 14:30 1,003 --a------ C:\backup-20090208-143055-160
2009-02-08 09:07 . 09-02-08 09:07 <DIR> d-------- c:\program files\nbkbqylz
2009-02-08 09:07 . 09-02-12 18:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-08 09:07 . 09-02-08 09:07 21,512 --a------ c:\winnt\system32\drivers\pxscan.sys
2009-02-08 08:21 . 09-02-08 08:21 163 --a------ C:\backup-20090208-082115-880
2009-02-08 08:21 . 09-02-08 08:21 110 --a------ C:\backup-20090208-082138-721
2009-02-08 08:20 . 09-02-08 08:20 110 --a------ C:\backup-20090208-082032-345
2009-02-08 08:16 . 09-02-08 08:16 0 --a------ c:\winnt\system32\hello
2009-02-08 07:39 . 09-02-08 07:39 110 --a------ C:\backup-20090208-073937-130
2009-02-08 07:19 . 09-02-08 07:19 110 --a------ C:\backup-20090208-071956-155
2009-02-08 07:17 . 09-02-08 07:17 110 --a------ C:\backup-20090208-071758-598
2009-02-08 03:19 . 09-02-08 03:19 137 --a------ C:\backup-20090208-031927-249
2009-02-08 03:19 . 09-02-08 03:19 110 --a------ C:\backup-20090208-031927-911
2009-02-08 03:19 . 09-02-08 03:19 69 --a------ C:\backup-20090208-031927-691
2009-02-08 01:37 . 09-02-08 13:34 <DIR> d-------- C:\acr-temp
2009-02-08 01:36 . 09-02-08 01:36 6,149,928 --a------ C:\DNG_Camera_Raw_4_2.zip
2009-02-08 01:12 . 09-02-08 01:12 <DIR> d-------- c:\program files\AskSearch
2009-02-08 01:11 . 09-02-08 01:12 1,754,496 --a------ C:\BitTorrent-6.1.2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 12:45 --------- d---a-w c:\documents and settings\All Users\Application Data\avg7
2009-02-13 13:09 --------- d-----w c:\program files\BitTorrent
2009-02-08 14:16 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2009-02-08 08:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-08 06:06 --------- d-----w c:\program files\eMule
2009-02-05 05:40 --------- d-----w c:\program files\FTP Commander
2008-12-18 02:33 --------- d-----w c:\program files\Qimage
2008-01-07 05:50 733 ----a-w c:\program files\Common Files\Exif.Cfg
2008-01-07 05:50 2,255 ----a-w c:\program files\Common Files\ExifVgl.Cfg
2008-01-07 05:50 2,255 ----a-w c:\program files\Common Files\ExifExc.cfg
2008-01-07 05:50 14,790 ----a-w c:\program files\Common Files\Kamera2.Cfg
2008-01-07 05:48 3 ----a-w c:\program files\Common Files\Exif Viewer.Jpg
2006-08-03 00:17 3,792,597 ----a-w c:\program files\Common Files\exif.xls
2005-09-18 05:55 2,255 ----a-w c:\program files\Common Files\dffdg.vgl
2005-08-30 23:04 8,628 ---ha-w c:\program files\Common Files\Exif Viewer.GID
2005-08-30 23:03 8,628 ---ha-w c:\program files\Common Files\Exif Glossar.GID
2005-03-12 18:49 609,358 ----a-w c:\program files\Common Files\EXIF Viewer.HLP
2005-03-12 18:39 1,347,584 ----a-w c:\program files\Common Files\EXIF Viewer.exe
2005-02-03 22:45 26,097 ----a-w c:\program files\Common Files\TIF.jpg
2004-08-19 21:40 29,532 ----a-w c:\program files\Common Files\Nikon.jpg
2003-01-30 12:08 271 ---h--w c:\program files\desktop.ini
2003-01-30 12:08 21,952 ---h--w c:\program files\folder.htt
2002-09-17 15:20 35,456 ----a-w c:\program files\Common Files\EXIF Glossar.HLP
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [01-07-09 11:50 155648]
"MaxBlastMonitor.exe"="c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [07-08-08 16:26 1169440]
"AcronisTimounterMonitor"="c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe" [07-08-08 16:39 1945448]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [07-08-08 16:31 148760]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [08-12-15 03:32 590848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [08-01-08 19:42 98304]
"PrevxCSI"="c:\program files\nbkbqylz\nbkbqylz.exe" [09-02-08 09:07 4107832]
"AtiPTA"="atiptaxx.exe" [02-07-25 04:04 290816 c:\winnt\system32\atiptaxx.exe]
"SoundMan"="SOUNDMAN.EXE" [02-03-20 21:23 46592 c:\winnt\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [07-12-11 01:28 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-27 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-27 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\eudora\EuShlExt.dll" [01-04-12 18:05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.ACDV"= ACDV.dll

R?2 CSIScanner;CSIScanner;c:\program files\nbkbqylz\nbkbqylz.exe [2009-02-08 4107832]
R0 HPT302;HPT302;c:\winnt\system32\drivers\HPT302.sys [2002-12-23 22867]
R0 hptpro;hptpro;c:\winnt\system32\drivers\hptpro.sys [2002-12-10 9809]
R0 pxscan;pxscan;c:\winnt\system32\drivers\pxscan.sys [2009-02-08 21512]
R1 Avg7RsNT;AVG7 Resident Driver NT;c:\winnt\system32\drivers\avg7rsnt.sys [2007-12-11 26944]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [2002-06-21 359135]
R3 EL910;3Com 3CSOHO100B-TX PCI;c:\winnt\system32\drivers\EL910ND5.sys [2002-05-29 38400]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-04-19 49776]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2003-01-30 61712]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\winnt\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [02-08-07 08:04 ]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: View EXIF - c:\viewexif\EXIF.htm
LSP: %SystemRoot%\system32\msafd.dll
Name-Space Handler: ftp\FVLink.IELinkMonitor - {EE4303CB-EA2E-4020-8827-3B0C948BC5C9} - c:\program files\RhinoSoft.com\FTP Voyager1\FVLink.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 07:55:15
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(440)
c:\winnt\system32\msv1_0.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-02-14 7:56:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-14 12:56:32
ComboFix2.txt 2009-02-13 13:34:31
ComboFix3.txt 2009-02-12 22:43:05

Pre-Run: 15,181,156,352 bytes free
Post-Run: 15,182,319,616 bytes free

153

-------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:21 AM, on 2/14/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\nbkbqylz\nbkbqylz.exe" /bootupreg
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: View EXIF - C:\ViewEXIF\EXIF.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\nbkbqylz\nbkbqylz.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5612 bytes

peku006
2009-02-14, 15:37
Hi mightymike

Looking good :)
Let's make sure we got everything

1 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


2 - F-Secure Online Scan

Please go to F-Secure website (http://support.f-secure.com/ols3beta/start.html) to perform an online scan. Click on Start scanning at the bottom of the page.
You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
Click on Accept to accept the License Agreement.
Click on Custom Scan. Under Virus Scan Options, select the Scan whole system option.
Under Other Scan Options, select these options: Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics Click Start.
It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
Click on I want decide item by item.
Under Actions, select None for all infections found.
Click Next.
Click on Show Report.
Please copy and paste this report in your next reply.
Click Finish.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the F-Secure online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006

mightymike
2009-02-15, 00:46
before i start with the ATF cleaner i downloaded and ran it and the "Prefetch" option is gray out with in brackets beside it the word "Disabled" should i continue even though the one option is disabled?

peku006
2009-02-15, 09:21
Hi mightymike
Yes ,continue with the next step

mightymike
2009-02-15, 15:58
The online antivirus program seems to have crashed internet explorer, or maybe another virus on the machine didn't like it.

Please advise.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:42 AM, on 2/15/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\nbkbqylz\nbkbqylz.exe" /bootupreg
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: View EXIF - C:\ViewEXIF\EXIF.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\nbkbqylz\nbkbqylz.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5838 bytes

peku006
2009-02-16, 21:22
Hi mightymike

Let´s try this

Please go to Eset website (http://www.eset.com/onlinescan/) to perform an online scan. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Uncheck (untick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

How's the computer running now? Any problems?

Thanks peku006

mightymike
2009-02-17, 07:09
The computer sems to be running without issues now but the scan found these, ... just noticed they're in quarantine... and the other file is dormant and not in use, it can be deleted without issue.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3859 (20090217)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a86f693c32468444a3039e8112bd91de
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-02-17 05:03:42
# local_time=2009-02-17 12:03:42 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.0.2195 NT Service Pack 4
# scanned=414407
# found=6
# scan_time=4002
C:\Program Files\Common Files\danqspqn\ddrdntdpct\lufeqfnbo.exe Win32/Agent.AY trojan 75A38E6C92AAB31ADE5D0D12A049C983
C:\Qoobox\Quarantine\C\WINNT\system32\dnghmnox.dll.vir Win32/Adware.Virtumonde application BD8BB35279640982349B981D5A960E98
C:\Qoobox\Quarantine\C\WINNT\system32\iwudsrgm.dll.vir Win32/Adware.Virtumonde application BD8BB35279640982349B981D5A960E98
C:\Qoobox\Quarantine\C\WINNT\system32\xyqadptv.dll.vir Win32/Adware.Virtumonde application BD8BB35279640982349B981D5A960E98
F:\FZ30\100_PANA\program123.zip probably a variant of Win32/Spy.Agent trojan B32E2A16EE07448D1DC35B31EC59F0C0
F:\FZ30\100_PANA\program123.zip »ZIP »RawShooter.exe probably a variant of Win32/Spy.Agent trojan 00000000000000000000000000000000

mightymike
2009-02-17, 07:10
excuse me but the first item isn't in quarantine i guess it needs to be dealt with

peku006
2009-02-17, 12:47
Hi mightymike

1 - Download anf Run OTMoveIt3

Download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by Old Timer and save it to your Desktop.
Double-click OTMoveIt3.exe.
Copy the lines in the codebox below.

:files
C:\Program Files\Common Files\danqspqn
F:\FZ30\100_PANA\program123.zip


Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with


1. the OTMoveIt3 Log
2. a fresh HijackThis log

Thanks peku006

mightymike
2009-02-17, 16:48
========== FILES ==========
C:\Program Files\Common Files\danqspqn\ddrdntdpct moved successfully.
C:\Program Files\Common Files\danqspqn moved successfully.
F:\FZ30\100_PANA\program123.zip moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02172009_094427

--------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:21 AM, on 2/17/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\ACD Systems\ACDSee\8.0.Pro\ACDSee8Pro.exe
C:\WINNT\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\nbkbqylz\nbkbqylz.exe" /bootupreg
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: View EXIF - C:\ViewEXIF\EXIF.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\nbkbqylz\nbkbqylz.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6054 bytes

peku006
2009-02-17, 16:56
Hi mightymike
The scans are fine and it looks like your machine is clean :yahoo:

Next we remove all used tools.

uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK


Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.


Happy safe surfing! :bigthumb:

mightymike
2009-02-17, 18:24
Many thanks for your help, i'll have a look through the programs, i won't guarantee i'll install all of them but i do already have spybot search and destroy and i'll be using free-av.com's anti virus once i remove my old AVG... i pretty well know how i got the virus/trojan and won't be doing the same thing again... I usually go virus/trojan free for years and its my own darn fault for doing something questionable... as for the list of bad sites, i sure will be using that.

Once again, many thanks!

Mike