BIG problems with Smithfraud-C

D

dashlf

New member
Hi -

I have 6 infections of Smithfraud-C that Spybot cannot remove. I tried running a TrendMicro virus scan, and made it about 90% of the way through before it stopped doing anything. I scanned again with Spybot only to discover many of the spyware originally removed had reappeared. I have run several scans again, and now only seem to have the Smithfraud infection.

Part of my difficult is that I do not have a visible toolbar, start button, or icons. Only the desktop picture appears. The only way I can access any programs is by using the Task Manager. At present, I am not longer even able to access the internet with the Task Manager (can't get back to TrendMicro anymore), so I can't even run a Kaspersky scanner or a TrendMicro "HijackThis".

Help!

What can I do to get rid of this infection? I'm at a total loss at this point, because I can't even give you the information you typically ask for. This is a brand new computer, so it doesn't have much on it yet. I have the Dell Reinstallation CD, and have no problem utilizing it if that will be effective at all.

Thank you in advance for your assistance.
 
Hi - somehow managed a clean enough log in to download the Hijack This program - here's the result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:32 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\DOCUME~1\Dave\LOCALS~1\Temp\msprint.exe
C:\DOCUME~1\Dave\LOCALS~1\Temp\winlogan.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Dave\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: (no name) - {7f3ea905-de65-4d00-bc1f-ff3a77f8ca30} - C:\WINDOWS\system32\qoMeeCUK.dll
O2 - BHO: DVA First - {8377285e-f9ce-4deb-936c-04caf05f0512} - C:\WINDOWS\qvlbodmnlks.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll
O3 - Toolbar: mkrndofl - {503AA2B1-C257-44D3-82D9-43FD349561A6} - C:\WINDOWS\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Dave\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [DelayLoad] C:\DOCUME~1\Dave\LOCALS~1\Temp\msprint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Dave\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Dave\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Dave\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Dave\cftmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{900EF8A5-909B-4E81-9E8C-7FD24E854AB3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: qoMeeCUK - C:\WINDOWS\SYSTEM32\qoMeeCUK.dll
O21 - SSODL: wetkadmr - {0E48A147-984C-4931-A1B9-3F9BB91B01A2} - C:\WINDOWS\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B8222729-CC90-4DA8-8584-4E0169D1C455} - C:\WINDOWS\tdomgafw.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

--
End of file - 6059 bytes
 
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here
 
ComboFix log

ComboFix 08-05-01.3 - Dave 2008-05-04 13:51:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.760 [GMT -5:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\d.exe
C:\Documents and Settings\Dave\cftmon.exe
C:\Documents and Settings\LocalService\cftmon.exe
C:\Program Files\antiviirus.exe
C:\Program Files\tmp0.exe
C:\Program Files\tmp1.exe
C:\Program Files\tmp2.exe
C:\Program Files\tmp3.exe
C:\smp.bat
C:\WINDOWS\17PHolmes1535.exe
C:\WINDOWS\resources\CheckChk.dll
C:\WINDOWS\system32\382077\382077.dll
C:\WINDOWS\system32\cbXOGXPH.dll
C:\WINDOWS\system32\ddcayxuS.dll
C:\WINDOWS\system32\ddcBSKEw.dll
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\geBrSKET.dll
C:\WINDOWS\system32\kdwtf.exe
C:\WINDOWS\system32\mlJAsSLC.dll
C:\WINDOWS\system32\mlJBSliI.dll
C:\WINDOWS\system32\nnnlllKA.dll
C:\WINDOWS\system32\nnnMdccb.dll
C:\WINDOWS\system32\qoMeeCUK.dll
C:\WINDOWS\system32\Suxyacdd.ini
C:\WINDOWS\system32\Suxyacdd.ini2
C:\WINDOWS\system32\tuvSjGYs.dll
C:\WINDOWS\system32\urqomkj.dll
C:\WINDOWS\system32\urqRkHYP.dll
C:\WINDOWS\system32\vEMSrtwa.ini
C:\WINDOWS\system32\vEMSrtwa.ini2
C:\WINDOWS\system32\vtUmLDWM.dll
C:\WINDOWS\system32\xxyayVlI.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Schedule
-------\Service_Schedule


((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-03 22:10 . 2008-05-04 13:56 <DIR> d-------- C:\WINDOWS\system32\382077
2008-05-03 22:08 . 2008-05-03 22:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-03 22:08 . 2008-05-03 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-03 22:01 . 2008-05-03 22:01 396,288 --a------ C:\Program Files\HijackThis.exe
2008-05-03 19:00 . 2008-05-03 19:00 <DIR> d-------- C:\WINDOWS\Sun
2008-05-03 18:59 . 2008-05-03 18:59 <DIR> d-------- C:\Program Files\Java
2008-05-03 18:59 . 2008-05-03 18:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-03 18:59 . 2005-04-13 03:48 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-05-03 18:29 . 2008-05-03 18:40 <DIR> d-------- C:\Documents and Settings\Dave\.housecall6.6
2008-05-03 16:46 . 2008-05-03 17:42 573 --a------ C:\WINDOWS\wininit.ini
2008-05-03 16:36 . 2008-05-02 21:39 266,240 --a------ C:\WINDOWS\qvlbodmnlks.dll
2008-05-03 16:36 . 2008-05-02 21:38 217,088 --a------ C:\WINDOWS\tdomgafw.dll
2008-05-03 16:36 . 2008-05-02 21:39 110,592 --a------ C:\WINDOWS\svorbmke.exe
2008-05-03 16:36 . 2008-05-02 21:40 90,112 --a------ C:\WINDOWS\knxsrgte.exe
2008-05-03 16:10 . 2008-05-03 16:19 74,752 --a------ C:\mxuxc.exe
2008-05-03 16:10 . 2008-05-04 13:58 70,578 --a------ C:\WINDOWS\system32\kzq5re.sys
2008-05-03 16:10 . 2008-05-03 16:19 13,824 --a------ C:\kbvxxo.exe
2008-05-03 16:10 . 2008-05-03 16:10 10,000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-05-03 16:10 . 2008-05-03 16:19 2 --a------ C:\-666500985
2008-05-03 16:07 . 2008-05-03 16:07 <DIR> d---s---- C:\Documents and Settings\Dave\UserData
2008-05-03 15:38 . 2008-05-03 15:39 <DIR> d-------- C:\VSTPlugIns
2008-05-03 15:21 . 2008-05-03 15:21 <DIR> d-------- C:\Program Files\DirectiXer
2008-05-03 14:31 . 2008-05-03 14:33 <DIR> d-------- C:\Program Files\Audacity
2008-05-03 14:17 . 2000-11-27 04:02 163,840 -ra------ C:\WINDOWS\system32\rddP1009.dat
2008-05-03 14:17 . 2000-11-27 04:04 42,860 -ra------ C:\WINDOWS\system32\drivers\rdwm1009.sys
2008-05-03 14:17 . 2000-11-27 04:03 25,291 -ra------ C:\WINDOWS\system32\rddv1009.dll
2008-05-03 14:09 . 2008-05-03 14:09 <DIR> d-------- C:\Documents and Settings\Dave\WINDOWS
2008-05-03 14:06 . 2008-05-03 14:06 <DIR> d-------- C:\Program Files\FruityloopsExpress
2008-05-03 14:05 . 2008-05-03 14:05 <DIR> d-------- C:\Program Files\Tutorials
2008-05-03 14:05 . 2008-05-03 14:05 118,784 --a------ C:\WINDOWS\dsdxirmv.exe
2008-05-03 14:04 . 2008-05-03 14:06 <DIR> d-------- C:\Program Files\Sample Content
2008-05-03 14:04 . 2008-05-03 14:04 <DIR> d-------- C:\Program Files\Drum Styles
2008-05-03 14:04 . 2008-05-03 14:04 <DIR> d-------- C:\Program Files\Cakewalk
2008-05-03 14:04 . 2008-05-03 15:56 <DIR> d-------- C:\Cakewalk Projects
2008-05-03 14:04 . 2001-07-06 01:00 7,262,208 --a------ C:\Program Files\CWHS.EXE
2008-05-03 14:04 . 2001-07-06 01:00 2,240,512 --a------ C:\Program Files\cw10hyph.dll
2008-05-03 14:04 . 2001-07-06 01:00 794,624 --a------ C:\Program Files\cw10aud.dll
2008-05-03 14:04 . 2001-07-06 01:00 524,800 --a------ C:\Program Files\rnco3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 487,936 --a------ C:\Program Files\rmme3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 487,936 --a------ C:\Program Files\rmbe3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 430,080 --a------ C:\Program Files\cj609lib.dll
2008-05-03 14:04 . 2001-07-06 01:00 410,112 --a------ C:\Program Files\encn3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 352,768 --a------ C:\Program Files\pngu3263.dll
2008-05-03 14:04 . 2001-07-06 01:00 321,024 --a------ C:\Program Files\rmto3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 273,408 --a------ C:\Program Files\pncrt.dll
2008-05-03 14:04 . 2001-07-06 01:00 272,896 --a------ C:\Program Files\erv23260.dll
2008-05-03 14:04 . 2001-07-06 01:00 200,704 --a------ C:\Program Files\automation.dll
2008-05-03 14:04 . 2001-01-05 17:51 162,304 --a------ C:\Program Files\UNWISE.EXE
2008-05-03 14:04 . 2001-07-06 01:00 110,592 --a------ C:\Program Files\cwdxpx1.dll
2008-05-03 14:04 . 2001-07-06 01:00 94,208 --a------ C:\Program Files\erv13260.dll
2008-05-03 14:04 . 2001-07-06 01:00 84,992 --a------ C:\Program Files\14_43260.dll
2008-05-03 14:04 . 2001-07-06 01:00 81,920 --a------ C:\Program Files\raencode.dll
2008-05-03 14:04 . 2001-07-06 01:00 81,408 --a------ C:\Program Files\ednt3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 60,416 --a------ C:\Program Files\espr3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 52,736 --a------ C:\Program Files\rv203260.dll
2008-05-03 14:04 . 2001-07-06 01:00 45,184 --a------ C:\Program Files\cw10sq16.dll
2008-05-03 14:04 . 2001-07-06 01:00 45,056 --a------ C:\Program Files\cw10sq32.dll
2008-05-03 14:04 . 2001-07-06 01:00 45,056 --a------ C:\Program Files\28_83260.dll
2008-05-03 14:04 . 2001-07-06 01:00 41,984 --a------ C:\Program Files\sdpp3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 30,720 --a------ C:\Program Files\auth3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 30,208 --a------ C:\Program Files\rn5a3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 28,672 --a------ C:\Program Files\rv103260.dll
2008-05-03 14:04 . 2001-07-06 01:00 25,600 --a------ C:\Program Files\basc3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 24,576 --a------ C:\Program Files\cook3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 23,552 --a------ C:\Program Files\cokr3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 21,504 --a------ C:\Program Files\enlv3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 20,480 --a------ C:\Program Files\dnet3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 20,480 --a------ C:\Program Files\cw10sq16thk.dll
2008-05-03 14:04 . 2001-07-06 01:00 20,480 --a------ C:\Program Files\cw10dx16thk.dll
2008-05-03 14:04 . 2001-07-06 01:00 16,896 --a------ C:\Program Files\sipr3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 11,264 --a------ C:\Program Files\pnrs3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 9,312 --a------ C:\Program Files\cw10dx16.dll
2008-05-03 14:04 . 2001-07-06 01:00 6 --a------ C:\Program Files\gmsystem.syx
2008-05-03 14:03 . 2008-05-03 14:04 <DIR> d-------- C:\Program Files\MusicLab
2008-05-03 14:00 . 2008-05-03 14:00 <DIR> d-------- C:\WINDOWS\PrimoPDF4
2008-05-03 14:00 . 2008-05-03 14:00 <DIR> d-------- C:\Program Files\activePDF
2008-05-03 14:00 . 2006-12-11 15:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-05-03 12:47 . 2008-05-03 12:47 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Autodesk
2008-05-03 12:25 . 2008-05-04 13:56 <DIR> d-------- C:\Documents and Settings\Dave
2008-05-03 12:25 . 2008-05-04 13:58 118,784 --ah----- C:\Documents and Settings\Dave\ntuser.dat.LOG
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\WINDOWS\occache
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\WexTech
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Common Files\WexTech Shared
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Common Files\LHSPF
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-03 11:50 . 1999-06-03 12:05 170,496 --a------ C:\WINDOWS\system32\awrtl30.dll
2008-05-03 11:50 . 1998-08-04 11:22 111,616 --a------ C:\WINDOWS\system32\Ltih30tb.dll
2008-05-03 11:02 . 2008-05-03 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Autodesk
2008-05-03 10:56 . 2008-05-03 10:56 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-05-03 10:40 . 2008-05-03 10:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-03 10:40 . 2008-05-03 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 10:33 . 2008-05-03 10:33 35,262 --a------ C:\WINDOWS\Administrator.acl
2008-05-03 10:10 . 2008-05-04 10:00 872,448 --ah----- C:\ffastun0.ffx
2008-05-03 10:10 . 2008-05-04 10:00 151,552 --ah----- C:\ffastun.ffo
2008-05-03 10:10 . 2008-05-04 10:00 4,717 --ah----- C:\ffastun.ffa
2008-05-03 10:09 . 2008-05-03 10:09 <DIR> d-------- C:\WINDOWS\SendTo
2008-05-03 10:09 . 2008-05-04 10:00 352,256 --ah----- C:\ffastun.ffl
2008-05-03 10:09 . 2008-05-03 10:09 69,632 --a------ C:\WINDOWS\system32\system.mdw
2008-05-03 10:09 . 2008-05-03 10:09 6,209 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-05-03 10:09 . 2008-05-03 10:09 611 --a------ C:\WINDOWS\ODBC.INI
2008-05-03 10:09 . 2008-05-03 10:09 22 --a------ C:\WINDOWS\exchng.ini
2008-05-03 10:08 . 2008-05-03 10:09 <DIR> d-------- C:\WINDOWS\forms
2008-05-03 10:08 . 2008-05-03 10:08 <DIR> d-------- C:\Program Files\Windows Messaging
2008-05-03 10:05 . 2008-05-03 11:51 <DIR> d-------- C:\Program Files\AutoCAD LT 2000i
2008-05-03 10:05 . 2008-05-03 10:05 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-03 10:02 . 2008-05-03 12:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-03 10:01 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-30 21:42 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\M-Audio
2008-04-30 21:42 . 2008-05-03 14:05 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-30 21:42 . 2008-05-03 14:04 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-30 21:42 . 2006-05-01 16:46 2,405,806 --a------ C:\WINDOWS\system32\pcifmdio.dll
2008-04-30 21:42 . 2004-09-10 00:45 1,122,304 --a------ C:\WINDOWS\system32\deltapnl.exe
2008-04-30 21:42 . 2005-10-06 21:31 292,992 --a------ C:\WINDOWS\system32\drivers\delta.sys
2008-04-30 21:42 . 2004-08-27 06:43 56,320 --a------ C:\WINDOWS\system32\DeltTray.exe
2008-04-30 21:42 . 2004-09-10 00:45 44,032 --a------ C:\WINDOWS\system32\deltapnl.dll
2008-04-30 21:42 . 2005-10-06 21:31 20,480 --a------ C:\WINDOWS\system32\deltasio.dll
2008-04-30 21:42 . 2004-08-13 20:06 5,120 --a------ C:\WINDOWS\system32\DeltaCPL.cpl
2008-04-30 21:32 . 2008-05-03 20:22 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
2008-04-30 17:26 . 2004-08-04 06:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-04-30 17:26 . 2004-08-04 06:15 145,792 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-04-30 17:26 . 2004-08-04 06:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-04-30 17:26 . 2004-08-04 06:08 60,288 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-04-30 17:26 . 2004-08-04 00:58 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-04-30 17:26 . 2004-08-04 00:58 7,552 --a--c--- C:\WINDOWS\system32\dllcache\mskssrv.sys
2008-04-30 17:26 . 2004-08-04 00:58 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 03:01 6,060 ----a-w C:\Program Files\hijackthis.log
2008-05-03 20:56 1,469 ----a-w C:\Program Files\AUD.INI
2008-05-03 20:56 1,409 ----a-w C:\Program Files\TTSNOTE.FOR
2008-05-03 19:26 140 ----a-w C:\Program Files\TTSSEQ.INI
2008-05-03 19:11 5,592 ----a-w C:\Program Files\WaveProf.Txt
2008-05-03 19:06 23,311 ----a-w C:\Program Files\INSTALL.LOG
2008-05-03 19:05 57,436 ----a-w C:\Program Files\cakewalk.ini
2001-07-06 16:22 1,532,865 ----a-w C:\Program Files\cwhs.chm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8377285e-f9ce-4deb-936c-04caf05f0512}]
2008-05-02 21:39 266240 --a------ C:\WINDOWS\qvlbodmnlks.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]
2008-05-03 16:10 10000 --a------ C:\WINDOWS\system32\jfiehayd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{503AA2B1-C257-44D3-82D9-43FD349561A6}"= "C:\WINDOWS\mkrndofl.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{503aa2b1-c257-44d3-82d9-43fd349561a6}]
[HKEY_CLASSES_ROOT\mkrndofl.1]
[HKEY_CLASSES_ROOT\TypeLib\{96F7BAE9-BC94-4206-8466-1FA321178963}]
[HKEY_CLASSES_ROOT\mkrndofl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"="C:\DOCUME~1\Dave\LOCALS~1\Temp\csrssc.exe" [2008-05-04 13:58 15505]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36 114688]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 06:43 56320]
"DeltTray"="DeltTray.exe" [2004-08-27 06:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-03 10:02:47 113664]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [2008-05-03 16:10 10000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wetkadmr"= {0E48A147-984C-4931-A1B9-3F9BB91B01A2} - C:\WINDOWS\wetkadmr.dll [ ]
"tdomgafw"= {B8222729-CC90-4DA8-8584-4E0169D1C455} - C:\WINDOWS\tdomgafw.dll [2008-05-02 21:38 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= rddv1009.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

R0 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2005-02-17 23:05]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 17:14]
R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2005-05-17 21:12]
R0 megasas;DELL PERC RAID Driver;C:\WINDOWS\system32\drivers\megasas.sys [2006-04-18 12:51]
R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 19:16]
S3 RD1009;Roland UM-1 USB Driver;C:\WINDOWS\system32\Drivers\rdwm1009.sys [2000-11-27 04:04]
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys [2003-02-24 13:02]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 13:58:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-05-04 13:59:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 18:59:07

Pre-Run: 153,451,397,120 bytes free
Post-Run: 153,540,894,720 bytes free

257
 
2nd HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:45 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\Dave\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: DVA First - {8377285e-f9ce-4deb-936c-04caf05f0512} - C:\WINDOWS\qvlbodmnlks.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll
O3 - Toolbar: mkrndofl - {503AA2B1-C257-44D3-82D9-43FD349561A6} - C:\WINDOWS\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{900EF8A5-909B-4E81-9E8C-7FD24E854AB3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: wetkadmr - {0E48A147-984C-4931-A1B9-3F9BB91B01A2} - C:\WINDOWS\wetkadmr.dll (file missing)
O21 - SSODL: tdomgafw - {B8222729-CC90-4DA8-8584-4E0169D1C455} - C:\WINDOWS\tdomgafw.dll
O21 - SSODL: CheckChk - {72cc3e68-b336-4420-80bc-5fc183b9f174} - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll

--
End of file - 4967 bytes
 
Hi

Do you recognize following file? If not upload it to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\dsdxirmv.exe




Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\qvlbodmnlks.dll
C:\WINDOWS\tdomgafw.dll
C:\WINDOWS\svorbmke.exe
C:\WINDOWS\knxsrgte.exe
C:\mxuxc.exe
C:\WINDOWS\system32\kzq5re.sys
C:\kbvxxo.exe
C:\WINDOWS\system32\jfiehayd.dll
C:\-666500985
C:\DOCUME~1\Dave\LOCALS~1\Temp\csrssc.exe

DirLook::
C:\WINDOWS\system32\382077

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8377285e-f9ce-4deb-936c-04caf05f0512}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{503AA2B1-C257-44D3-82D9-43FD349561A6}"=-

[-HKEY_CLASSES_ROOT\clsid\{503aa2b1-c257-44d3-82d9-43fd349561a6}]
[-HKEY_CLASSES_ROOT\mkrndofl.1]
[-HKEY_CLASSES_ROOT\TypeLib\{96F7BAE9-BC94-4206-8466-1FA321178963}]
[-HKEY_CLASSES_ROOT\mkrndofl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wetkadmr"=-
"tdomgafw"=-
"CheckChk"=-


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file, a fresh hjt log and above meantioned ComboFix resultant log in your next reply.
 
Blade81 said:
Hi

Do you recognize following file? If not upload it to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\dsdxirmv.exe
Click to expand...

Hi -

Sorry - I didn't understand what you meant in that quoted part, and then I wasn't able to open an internet connection before doing all the other functions you listed. Do I need to do that again? If so, can you explain it differently? Thanks.

Here's the Malwarebyte's log:



Malwarebytes' Anti-Malware 1.11
Database version: 715

Scan type: Full Scan (C:\|)
Objects scanned: 49520
Time elapsed: 10 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 86

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f0a035ec-c865-4e47-bf73-b17741dd5232} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mkrndofl.bknp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mkrndofl.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{53b70190-18ac-4a9b-9999-ab5a2ee144b1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8a3a5e9e-e192-4c90-9d41-b8de0916e03e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{638a8e0c-f206-471c-b346-9596addbb026} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{488250ee-19cb-433a-8f37-ceba84093a7d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\382077 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\kbvxxo.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\mxuxc.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Dave\cftmon.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Dave\LOCALS~1\temp\csrssc.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\cftmon.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\antiviirus.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\tmp0.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\tmp1.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\tmp2.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\tmp3.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\17PHolmes1535.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\Resources\CheckChk.dll.vir (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXOGXPH.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcayxuS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcBSKEw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\geBrSKET.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jfiehayd.dll.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kzq5re.sys.vir (Trojan.Peed) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJAsSLC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJBSliI.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\MoveEx_kzq5re.sys.vir (Trojan.Peed) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnlllKA.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnMdccb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qoMeeCUK.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvSjGYs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\urqomkj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\urqRkHYP.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUmLDWM.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyayVlI.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\382077\382077.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spools.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP11\A0002773.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002775.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002777.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002779.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002781.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002782.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002783.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002784.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002785.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002790.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002792.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002795.dll (Adware.E404) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002796.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002806.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0003778.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0003789.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP13\A0003868.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP13\A0003869.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP13\A0003894.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP13\A0003895.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003906.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003907.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003910.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003911.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003912.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003913.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003914.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003915.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003916.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003917.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003918.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003919.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003920.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003921.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003922.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003923.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003924.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003925.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003926.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003927.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003928.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003929.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003930.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003931.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003933.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003934.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003939.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003945.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003962.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004017.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004018.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004019.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004023.dll (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004028.sys (Trojan.Peed) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004040.sys (Trojan.Peed) -> Quarantined and deleted successfully.
 
HJT Log is here:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:51 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{900EF8A5-909B-4E81-9E8C-7FD24E854AB3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

--
End of file - 4034 bytes






ComboFix log is here:


ComboFix 08-05-01.3 - Dave 2008-05-04 14:58:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.772 [GMT -5:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\-666500985
C:\DOCUME~1\Dave\LOCALS~1\Temp\csrssc.exe
C:\kbvxxo.exe
C:\mxuxc.exe
C:\WINDOWS\knxsrgte.exe
C:\WINDOWS\qvlbodmnlks.dll
C:\WINDOWS\svorbmke.exe
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\kzq5re.sys
C:\WINDOWS\tdomgafw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-666500985
C:\DOCUME~1\Dave\LOCALS~1\Temp\csrssc.exe
C:\kbvxxo.exe
C:\mxuxc.exe
C:\WINDOWS\knxsrgte.exe
C:\WINDOWS\qvlbodmnlks.dll
C:\WINDOWS\svorbmke.exe
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\kzq5re.sys
C:\WINDOWS\tdomgafw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kzq5re


((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-03 22:10 . 2008-05-04 13:56 <DIR> d-------- C:\WINDOWS\system32\382077
2008-05-03 22:08 . 2008-05-03 22:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-03 22:08 . 2008-05-03 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-03 22:01 . 2008-05-03 22:01 396,288 --a------ C:\Program Files\HijackThis.exe
2008-05-03 19:00 . 2008-05-03 19:00 <DIR> d-------- C:\WINDOWS\Sun
2008-05-03 18:59 . 2008-05-03 18:59 <DIR> d-------- C:\Program Files\Java
2008-05-03 18:59 . 2008-05-03 18:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-03 18:59 . 2005-04-13 03:48 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-05-03 18:29 . 2008-05-03 18:40 <DIR> d-------- C:\Documents and Settings\Dave\.housecall6.6
2008-05-03 16:46 . 2008-05-03 17:42 573 --a------ C:\WINDOWS\wininit.ini
2008-05-03 16:07 . 2008-05-03 16:07 <DIR> d---s---- C:\Documents and Settings\Dave\UserData
2008-05-03 15:38 . 2008-05-03 15:39 <DIR> d-------- C:\VSTPlugIns
2008-05-03 15:21 . 2008-05-03 15:21 <DIR> d-------- C:\Program Files\DirectiXer
2008-05-03 14:31 . 2008-05-03 14:33 <DIR> d-------- C:\Program Files\Audacity
2008-05-03 14:17 . 2000-11-27 04:02 163,840 -ra------ C:\WINDOWS\system32\rddP1009.dat
2008-05-03 14:17 . 2000-11-27 04:04 42,860 -ra------ C:\WINDOWS\system32\drivers\rdwm1009.sys
2008-05-03 14:17 . 2000-11-27 04:03 25,291 -ra------ C:\WINDOWS\system32\rddv1009.dll
2008-05-03 14:09 . 2008-05-03 14:09 <DIR> d-------- C:\Documents and Settings\Dave\WINDOWS
2008-05-03 14:06 . 2008-05-03 14:06 <DIR> d-------- C:\Program Files\FruityloopsExpress
2008-05-03 14:05 . 2008-05-03 14:05 <DIR> d-------- C:\Program Files\Tutorials
2008-05-03 14:05 . 2008-05-03 14:05 118,784 --a------ C:\WINDOWS\dsdxirmv.exe
2008-05-03 14:04 . 2008-05-03 14:06 <DIR> d-------- C:\Program Files\Sample Content
2008-05-03 14:04 . 2008-05-03 14:04 <DIR> d-------- C:\Program Files\Drum Styles
2008-05-03 14:04 . 2008-05-03 14:04 <DIR> d-------- C:\Program Files\Cakewalk
2008-05-03 14:04 . 2008-05-03 15:56 <DIR> d-------- C:\Cakewalk Projects
2008-05-03 14:04 . 2001-07-06 01:00 7,262,208 --a------ C:\Program Files\CWHS.EXE
2008-05-03 14:04 . 2001-07-06 01:00 2,240,512 --a------ C:\Program Files\cw10hyph.dll
2008-05-03 14:04 . 2001-07-06 01:00 794,624 --a------ C:\Program Files\cw10aud.dll
2008-05-03 14:04 . 2001-07-06 01:00 524,800 --a------ C:\Program Files\rnco3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 487,936 --a------ C:\Program Files\rmme3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 487,936 --a------ C:\Program Files\rmbe3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 430,080 --a------ C:\Program Files\cj609lib.dll
2008-05-03 14:04 . 2001-07-06 01:00 410,112 --a------ C:\Program Files\encn3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 352,768 --a------ C:\Program Files\pngu3263.dll
2008-05-03 14:04 . 2001-07-06 01:00 321,024 --a------ C:\Program Files\rmto3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 273,408 --a------ C:\Program Files\pncrt.dll
2008-05-03 14:04 . 2001-07-06 01:00 272,896 --a------ C:\Program Files\erv23260.dll
2008-05-03 14:04 . 2001-07-06 01:00 200,704 --a------ C:\Program Files\automation.dll
2008-05-03 14:04 . 2001-01-05 17:51 162,304 --a------ C:\Program Files\UNWISE.EXE
2008-05-03 14:04 . 2001-07-06 01:00 110,592 --a------ C:\Program Files\cwdxpx1.dll
2008-05-03 14:04 . 2001-07-06 01:00 94,208 --a------ C:\Program Files\erv13260.dll
2008-05-03 14:04 . 2001-07-06 01:00 84,992 --a------ C:\Program Files\14_43260.dll
2008-05-03 14:04 . 2001-07-06 01:00 81,920 --a------ C:\Program Files\raencode.dll
2008-05-03 14:04 . 2001-07-06 01:00 81,408 --a------ C:\Program Files\ednt3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 60,416 --a------ C:\Program Files\espr3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 52,736 --a------ C:\Program Files\rv203260.dll
2008-05-03 14:04 . 2001-07-06 01:00 45,184 --a------ C:\Program Files\cw10sq16.dll
2008-05-03 14:04 . 2001-07-06 01:00 45,056 --a------ C:\Program Files\cw10sq32.dll
2008-05-03 14:04 . 2001-07-06 01:00 45,056 --a------ C:\Program Files\28_83260.dll
2008-05-03 14:04 . 2001-07-06 01:00 41,984 --a------ C:\Program Files\sdpp3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 30,720 --a------ C:\Program Files\auth3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 30,208 --a------ C:\Program Files\rn5a3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 28,672 --a------ C:\Program Files\rv103260.dll
2008-05-03 14:04 . 2001-07-06 01:00 25,600 --a------ C:\Program Files\basc3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 24,576 --a------ C:\Program Files\cook3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 23,552 --a------ C:\Program Files\cokr3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 21,504 --a------ C:\Program Files\enlv3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 20,480 --a------ C:\Program Files\dnet3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 20,480 --a------ C:\Program Files\cw10sq16thk.dll
2008-05-03 14:04 . 2001-07-06 01:00 20,480 --a------ C:\Program Files\cw10dx16thk.dll
2008-05-03 14:04 . 2001-07-06 01:00 16,896 --a------ C:\Program Files\sipr3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 11,264 --a------ C:\Program Files\pnrs3260.dll
2008-05-03 14:04 . 2001-07-06 01:00 9,312 --a------ C:\Program Files\cw10dx16.dll
2008-05-03 14:04 . 2001-07-06 01:00 6 --a------ C:\Program Files\gmsystem.syx
2008-05-03 14:03 . 2008-05-03 14:04 <DIR> d-------- C:\Program Files\MusicLab
2008-05-03 14:00 . 2008-05-03 14:00 <DIR> d-------- C:\WINDOWS\PrimoPDF4
2008-05-03 14:00 . 2008-05-03 14:00 <DIR> d-------- C:\Program Files\activePDF
2008-05-03 14:00 . 2006-12-11 15:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-05-03 12:47 . 2008-05-03 12:47 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Autodesk
2008-05-03 12:25 . 2008-05-04 13:56 <DIR> d-------- C:\Documents and Settings\Dave
2008-05-03 12:25 . 2008-05-04 14:59 94,208 --ah----- C:\Documents and Settings\Dave\ntuser.dat.LOG
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\WINDOWS\occache
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\WexTech
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Common Files\WexTech Shared
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Common Files\LHSPF
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-03 11:50 . 1999-06-03 12:05 170,496 --a------ C:\WINDOWS\system32\awrtl30.dll
2008-05-03 11:50 . 1998-08-04 11:22 111,616 --a------ C:\WINDOWS\system32\Ltih30tb.dll
2008-05-03 11:02 . 2008-05-03 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Autodesk
2008-05-03 10:56 . 2008-05-03 10:56 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-05-03 10:40 . 2008-05-03 10:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-03 10:40 . 2008-05-03 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 10:33 . 2008-05-03 10:33 35,262 --a------ C:\WINDOWS\Administrator.acl
2008-05-03 10:10 . 2008-05-04 10:00 872,448 --ah----- C:\ffastun0.ffx
2008-05-03 10:10 . 2008-05-04 10:00 151,552 --ah----- C:\ffastun.ffo
2008-05-03 10:10 . 2008-05-04 10:00 4,717 --ah----- C:\ffastun.ffa
2008-05-03 10:09 . 2008-05-03 10:09 <DIR> d-------- C:\WINDOWS\SendTo
2008-05-03 10:09 . 2008-05-04 10:00 352,256 --ah----- C:\ffastun.ffl
2008-05-03 10:09 . 2008-05-03 10:09 69,632 --a------ C:\WINDOWS\system32\system.mdw
2008-05-03 10:09 . 2008-05-03 10:09 6,209 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-05-03 10:09 . 2008-05-03 10:09 611 --a------ C:\WINDOWS\ODBC.INI
2008-05-03 10:09 . 2008-05-03 10:09 22 --a------ C:\WINDOWS\exchng.ini
2008-05-03 10:08 . 2008-05-03 10:09 <DIR> d-------- C:\WINDOWS\forms
2008-05-03 10:08 . 2008-05-03 10:08 <DIR> d-------- C:\Program Files\Windows Messaging
2008-05-03 10:05 . 2008-05-03 11:51 <DIR> d-------- C:\Program Files\AutoCAD LT 2000i
2008-05-03 10:05 . 2008-05-03 10:05 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-03 10:02 . 2008-05-03 12:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-03 10:01 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-30 21:42 . 2008-04-30 21:42 <DIR> d-------- C:\Program Files\M-Audio
2008-04-30 21:42 . 2008-05-03 14:05 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-30 21:42 . 2008-05-03 14:04 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-30 21:42 . 2006-05-01 16:46 2,405,806 --a------ C:\WINDOWS\system32\pcifmdio.dll
2008-04-30 21:42 . 2004-09-10 00:45 1,122,304 --a------ C:\WINDOWS\system32\deltapnl.exe
2008-04-30 21:42 . 2005-10-06 21:31 292,992 --a------ C:\WINDOWS\system32\drivers\delta.sys
2008-04-30 21:42 . 2004-08-27 06:43 56,320 --a------ C:\WINDOWS\system32\DeltTray.exe
2008-04-30 21:42 . 2004-09-10 00:45 44,032 --a------ C:\WINDOWS\system32\deltapnl.dll
2008-04-30 21:42 . 2005-10-06 21:31 20,480 --a------ C:\WINDOWS\system32\deltasio.dll
2008-04-30 21:42 . 2004-08-13 20:06 5,120 --a------ C:\WINDOWS\system32\DeltaCPL.cpl
2008-04-30 21:32 . 2008-05-03 20:22 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
2008-04-30 17:26 . 2004-08-04 06:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-04-30 17:26 . 2004-08-04 06:15 145,792 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-04-30 17:26 . 2004-08-04 06:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-04-30 17:26 . 2004-08-04 06:08 60,288 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-04-30 17:26 . 2004-08-04 00:58 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-04-30 17:26 . 2004-08-04 00:58 7,552 --a--c--- C:\WINDOWS\system32\dllcache\mskssrv.sys
2008-04-30 17:26 . 2004-08-04 00:58 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-04-30 17:26 . 2004-08-04 00:58 5,376 --a--c--- C:\WINDOWS\system32\dllcache\mspclock.sys
2008-04-30 17:26 . 2004-08-04 00:58 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2008-04-30 17:26 . 2004-08-04 00:58 4,992 --a--c--- C:\WINDOWS\system32\dllcache\mspqm.sys
2008-04-30 17:25 . 2008-04-30 17:25 <DIR> d-------- C:\Program Files\CONEXANT
2008-04-30 17:23 . 2005-09-20 08:43 2,310,144 --a------ C:\WINDOWS\system32\iglicd32.dll
2008-04-30 16:30 . 2008-05-04 13:51 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2008-04-30 16:30 . 2008-04-30 16:30 61 --a------ C:\WINDOWS\smscfg.ini
2008-04-30 16:28 . 2005-09-20 08:31 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-30 16:28 . 2008-04-30 21:32 1,024 --ah----- C:\Documents and Settings\Default User\ntuser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 19:00 4,968 ----a-w C:\Program Files\hijackthis.log
2008-05-03 20:56 1,469 ----a-w C:\Program Files\AUD.INI
2008-05-03 20:56 1,409 ----a-w C:\Program Files\TTSNOTE.FOR
2008-05-03 19:26 140 ----a-w C:\Program Files\TTSSEQ.INI
2008-05-03 19:11 5,592 ----a-w C:\Program Files\WaveProf.Txt
2008-05-03 19:06 23,311 ----a-w C:\Program Files\INSTALL.LOG
2008-05-03 19:05 57,436 ----a-w C:\Program Files\cakewalk.ini
2001-07-06 16:22 1,532,865 ----a-w C:\Program Files\cwhs.chm
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\382077 ----



((((((((((((((((((((((((((((( snapshot@2008-05-04_13.58.59.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-04 18:58:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 19:59:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36 114688]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 06:43 56320]
"DeltTray"="DeltTray.exe" [2004-08-27 06:43 56320 C:\WINDOWS\system32\DeltTray.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-03 10:02:47 113664]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= rddv1009.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

R0 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2005-02-17 23:05]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 17:14]
R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2005-05-17 21:12]
R0 megasas;DELL PERC RAID Driver;C:\WINDOWS\system32\drivers\megasas.sys [2006-04-18 12:51]
R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 19:16]
S3 RD1009;Roland UM-1 USB Driver;C:\WINDOWS\system32\Drivers\rdwm1009.sys [2000-11-27 04:04]
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys [2003-02-24 13:02]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 14:59:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-04 15:00:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 20:00:23
ComboFix2.txt 2008-05-04 18:59:10

Pre-Run: 153,531,351,040 bytes free
Post-Run: 153,523,027,968 bytes free

233
 
Hi

I meant do you recognize what is C:\WINDOWS\dsdxirmv.exe file related to? If not we have to scan it to make sure it doesn't contain any malware. The file can be sent to http://virusscan.jotti.org. Open that address and insert C:\WINDOWS\dsdxirmv.exe in the field. Then click submit and wait for the results.

Then I've got another question too. Do these addresses belong to your internet service provider 208.67.220.220,208.67.222.222?
 
Blade81 said:
Hi

I meant do you recognize what is C:\WINDOWS\dsdxirmv.exe file related to? If not we have to scan it to make sure it doesn't contain any malware. The file can be sent to http://virusscan.jotti.org. Open that address and insert C:\WINDOWS\dsdxirmv.exe in the field. Then click submit and wait for the results.
Click to expand...

No, I don't know what program it's related to. I will run a scan on it later - previously I had been unable to open an internet connection on that computer on several occasions. Since the last set of removals, I should be able to now. I'm at work presently, but will scan this file when I get home this evening.

Blade81 said:
Then I've got another question too. Do these addresses belong to your internet service provider 208.67.220.220,208.67.222.222?
Click to expand...

I don't know - how do I determine this? I have a high-speed internet connection that runs through a home network router, if that makes any difference.
 
Hi

Ok. I'll be waiting for the Jotti results concerning that exe file.
I don't know - how do I determine this? I have a high-speed internet connection that runs through a home network router, if that makes any difference.
Click to expand...
That is simply tested. :)

Start hjt, do a system scan, check:
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{900EF8A5-909B-4E81-9E8C-7FD24E854AB3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Close browsers and fix checked.

Reboot. If internet connection is still working then fixing those was ok. If connection isn't working then start hjt, go to main menu & open the misc tools section. Click backups and select those entries with 208.67.220.220,208.67.222.222 and restore them.
 
Blade81 said:
Hi

Ok. I'll be waiting for the Jotti results concerning that exe file.

That is simply tested. :)
Click to expand...

Jotti found nothing on that file - all of the scanner results were "Found nothing."


Blade81 said:
Start hjt, do a system scan, check:
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{900EF8A5-909B-4E81-9E8C-7FD24E854AB3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F973571-084D-491D-B0C7-D0F00251A94C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Close browsers and fix checked.

Reboot. If internet connection is still working then fixing those was ok. If connection isn't working then start hjt, go to main menu & open the misc tools section. Click backups and select those entries with 208.67.220.220,208.67.222.222 and restore them.
Click to expand...

Internet connection still works after that fix.

Only problem is (and this was like this even before I did that fix on HJT), no graphics or pictures show up on the internet, so obviously something is missing from Internet Explorer or something.

Anything else I need to do? Any more scans I should run? How do I fix the graphics / pictures problem with IE?

Thanks for all your help - I really do appreciate it!
 
Anything else I need to do? Any more scans I should run? How do I fix the graphics / pictures problem with IE?
Click to expand...
Hi

Since you have Kaspersky online scanner installed let's run it with a full scan. Post back its report & a fresh hjt log. With IE problem I think that installing IE7 might solve the problem. Anyway, let's see those logs first. :)
 
New Kaspersky and HJT logs

Kaspersky:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 5:27:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 743022
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 22417
Number of viruses found: 10
Number of infected objects: 24
Number of suspicious objects: 0
Duration of the scan process: 00:10:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Dave\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.16157 Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\Documents and Settings\Dave\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.21421 Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\Documents and Settings\Dave\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95736 Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\Documents and Settings\Dave\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.97581 Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\Documents and Settings\Dave\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dave\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dave\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\knxsrgte.exe.vir Infected: Trojan.Win32.Vapsup.erf skipped
C:\QooBox\Quarantine\C\WINDOWS\qvlbodmnlks.dll.vir Infected: Trojan.Win32.Vapsup.erl skipped
C:\QooBox\Quarantine\C\WINDOWS\svorbmke.exe.vir Infected: Trojan.Win32.Vapsup.erk skipped
C:\QooBox\Quarantine\C\WINDOWS\tdomgafw.dll.vir Infected: Trojan.Win32.Vapsup.eri skipped
C:\QooBox\Quarantine\catchme2008-05-04_135706.96.zip/ddcayxuS.dll Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-05-04_135706.96.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002789.exe/crack.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002789.exe/keygen.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002789.exe/serial.exe Infected: Trojan-Downloader.Win32.Small.vab skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0002789.exe RAR: infected - 3 skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0003769.dll Infected: Trojan.Win32.Vapsup.erj skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP12\A0003770.dll Infected: Trojan.Win32.Vapsup.erg skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003951.exe/crack.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003951.exe/keygen.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003951.exe/serial.exe Infected: Trojan-Downloader.Win32.Small.vab skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP14\A0003951.exe RAR: infected - 3 skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004020.exe Infected: Trojan.Win32.Vapsup.erf skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004021.dll Infected: Trojan.Win32.Vapsup.erl skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004022.exe Infected: Trojan.Win32.Vapsup.erk skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\A0004025.dll Infected: Trojan.Win32.Vapsup.eri skipped
C:\System Volume Information\_restore{6B8BF05F-EEFE-4A41-96AD-B82E393DA7FC}\RP15\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.






HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:07 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx

--
End of file - 3471 bytes
 
Hi

All bad items are either quarantined or in system restore. I think you should try installing IE 7 to see if it makes any difference. Are those graphics missing on every website or only some particular ones?
 
Blade81 said:
Hi

All bad items are either quarantined or in system restore. I think you should try installing IE 7 to see if it makes any difference. Are those graphics missing on every website or only some particular ones?
Click to expand...


I'll try reinstalling IE7. Graphics have been missing from every single website. I'll let you know what happens after the reinstall.
 
Reinstalled IE7. Pictures and graphics still do not appear in browser for any websites at all.

This is a new system for me - since the malware cleaning is complete, should I simply do a Windows reinstall? I'm thinking that's probably the easiest and fastest way to fix things.
 
Blade81 said:
Hi

Let's see if this Microsoft article helps. By the way, when did you notice that graphics were missing? Was it after some step during this cleaning process?
Click to expand...

Hi - sorry, had other things going on this evening; didn't get to the Microsoft article yet. Will try to tomorrow evening.

Graphics went missing, as I recall, the first time I was able to sign back on to the internet while doing some of the first cleaning steps. I don't know which one that was, as it took a few steps before I could even get any kind of connection on that computer. But it was very early in the cleaning process.
 
You must log in or register to reply here.
Back
Top