Trojan nebular and downloader eeek!

Jarabara · Nov 12, 2007

HELLO PEOPLE

Please can you help me to get rid of or control these nasties on my system? I have Spybot, Spyware detector and Advanced Spyware remover plus Norton AntiVirus. Can't get rid of these Trojans.

My HJT Log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:51 AM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ortdxnti.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.southwestcc.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from South WestCC.Net
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [74cb20d9] rundll32.exe "C:\WINDOWS\system32\ioknyjak.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.southwestcc.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194685754477
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ortdxnti.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

--
End of file - 5757 bytes

And the Kraspersky log is:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 12, 2007 4:33:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/11/2007
Kaspersky Anti-Virus database records: 456377
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 37868
Number of viruses found: 9
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 02:33:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35cd4ee885e31936bc750ba0f05f6ecb_48d14704-1025-4922-a76e-dd8283126d8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8170f6a9d2c200b0165d849d2b7ab385_48d14704-1025-4922-a76e-dd8283126d8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Identities\{2A78B198-47EE-4F51-8731-A97F2923CB26}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Identities\{2A78B198-47EE-4F51-8731-A97F2923CB26}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Identities\{2A78B198-47EE-4F51-8731-A97F2923CB26}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Identities\{2A78B198-47EE-4F51-8731-A97F2923CB26}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\nsm123.tmp\ads_3.5.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BHO.ha skipped
C:\Documents and Settings\user\Local Settings\Temp\nsm123.tmp\ads_3.5.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ha skipped
C:\Documents and Settings\user\Local Settings\Temp\nsm123.tmp\ads_3.5.exe NSIS: infected - 2 skipped
C:\Documents and Settings\user\Local Settings\Temp\s2r4/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewWeb.ar skipped
C:\Documents and Settings\user\Local Settings\Temp\s2r4/stream Infected: not-a-virus:AdWare.Win32.NewWeb.ar skipped
C:\Documents and Settings\user\Local Settings\Temp\s2r4 NSIS: infected - 2 skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF317C.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF7FF2.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTQZW9A3\TheRotator-vert[1].swf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\UTQJ8LIJ\logo_Best_Buy_127x54[1].gif Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\UTQJ8LIJ\logo_Circuit_City_127x54[2].gif Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\UTQJ8LIJ\main_banner_v2b[1].swf Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\UTQJ8LIJ\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\073528BE Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\Norton AntiVirus\Quarantine\1114022B.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Program Files\Norton AntiVirus\Quarantine\5140681F Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Program Files\Norton AntiVirus\Quarantine\798820A7.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP23\A0002502.dll Infected: not-a-virus:AdWare.Win32.NewWeb.ar skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP23\A0002512.exe Infected: Trojan-Dropper.Win32.Agent.chq skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP23\A0002516.exe Infected: Trojan-Dropper.Win32.Agent.chq skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP25\A0004539.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP28\change.log Object is locked skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Motorola SM56 Speakerphone Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A2D89A25-779F-404D-9B4F-43922BFE8BDA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mctspuaj.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\ortdxnti.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\rqrspqq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahq skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winjgs32.dll Object is locked skipped
C:\WINDOWS\Temp\win805.tmp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks for your time guys, I hope I posted everything you need in the right place!

I like Spybot S&D but sometimes when it asks me to accept or decline changes it immeiately comes back with the same request but without the decline option. I usually decline if I haven't made any changes or when changes try to happen but I can't see any reason why. Is Spybot meant to refuse me control on some options? Thanks guys...

Jarabara · Nov 12, 2007

Add to first message about nebular and downloader

Hi again, I've just noticed that when I try to empty my recycle bin I get a message saying 'cannot delete Dc20 - access is denied'. Recycle bin tells me it cannot delete these two items - but there are no visible items in the folder. I selected 'show hidden items' but nothing appears.

Please help!

Shaba · Nov 12, 2007

Hi infested!

Rename HijackThis.exe to infested.exe and post back a fresh HijackThis log, please

Jarabara · Nov 12, 2007

New HJT log

Thanks for getting back to me. The new log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:43 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ortdxnti.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\Infested.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.southwestcc.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from

South WestCC.Net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A20950D-8737-475D-B5F9-156D5B21B817} - (no file)
O2 - BHO: (no name) - {385DFF7F-9E7D-44CB-9780-E520DFD4EBF1} - C:\WINDOWS\system32\xxyvw.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} -

C:\WINDOWS\system32\rqrspqq.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D1DB4FEA-84E3-477A-BF99-19DC2C4D96EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [74cb20d9] rundll32.exe "C:\WINDOWS\system32\ioknyjak.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works

Shared\WkCalRem.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.southwestcc.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} -

http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1

194685754477
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: rqrspqq - C:\WINDOWS\SYSTEM32\rqrspqq.dll
O20 - Winlogon Notify: winjgs32 - C:\WINDOWS\SYSTEM32\winjgs32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ortdxnti.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDService - Max Secure Software - C:\Program

Files\SpywareDetector\SDService.exe

--
End of file - 6701 bytes

Shaba · Nov 12, 2007

Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report

tashi · Nov 12, 2007

infested! please hit reply and not start new topic.

It is confusing when a helper is responding to this thread and then another topic is found.
http://forums.spybot.info/showpost.php?p=135225&postcount=2

Jarabara · Nov 13, 2007

3 logs as requested

Hello again,

Sorry Tashi, duly noted

Below are the logs you needed. Thanks again, really appreciate your help. I'm on the disabiltiy pension and, while I will try to afford any programs i have to buy, it would take a while. And my computer is 2nd-hand/new, I bought it as a birthday present to myself only 2 weeks ago - I was left with only $80 of my pension after buying it.

Anyhow, before i paste the logs here are some things I have noticed:

Error message on start-up: Cannot find Windows/sys32/ioknyjak.dll

system is getting slower and slower. Windows sometimes tells me i am running on virtual memory, and CPU monitor in task manager is often at 100% even when i am doing nothing.

Computer keeps trying to connect to internet without any obvious cause.

i keep seeing boxes similar to those in combofix - like a programming box when you're writing your own programs.

and i keep losing my internet connection.

my paypal and yahoo accounts have been hijacked :-(

Logs as follows:

VundoFix V6.5.11

Checking Java version...

Sun Java not detected
Scan started at 11:36:20 AM 11/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\mbbbgwkt.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mbbbgwkt.dll
C:\WINDOWS\system32\mbbbgwkt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Sun Java not detected
Scan started at 12:02:43 PM 11/13/2007

Listing files found while scanning....

No infected files were found.

ComboFix 07-11-08.1 - user 2007-11-13 12:14:51.1 - NTFSx86
Running from: C:\Program Files\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\user\Desktop\Live Safety Center.lnk
C:\Documents and Settings\user\Desktop\Online Security Guide.lnk
C:\Documents and Settings\user\Favorites\Online Security Guide.lnk
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\system32\fwnyaxlb.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\mbbbgwkt.dllbox
C:\WINDOWS\system32\rqrspqq.dll
C:\WINDOWS\system32\ugdsijnm.dll
C:\WINDOWS\system32\wvyxx.bak1
C:\WINDOWS\system32\wvyxx.bak2
C:\WINDOWS\system32\wvyxx.ini
C:\WINDOWS\system32\xxyvw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-13 12:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-13 11:36 <DIR> d-------- C:\VundoFix Backups
2007-11-13 11:19 144,480 --a------ C:\WINDOWS\system32\anqinqng.dll
2007-11-13 11:17 89,664 --a------ C:\WINDOWS\system32\sbxasite.dll
2007-11-13 11:12 115,712 --a------ C:\Program Files\VundoFix.exe
2007-11-13 11:11 81,472 --a------ C:\WINDOWS\system32\awgnjmxt.dll
2007-11-13 11:10 71,232 --a------ C:\WINDOWS\system32\sfpklfih.exe
2007-11-13 08:15 1,539,258 --a------ C:\Program Files\ComboFix.exe
2007-11-13 07:58 81,472 --a------ C:\WINDOWS\system32\vxahdruw.dll
2007-11-13 07:51 71,232 --a------ C:\WINDOWS\system32\veexutba.exe
2007-11-12 04:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-12 04:39 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-11-12 00:12 88,128 --a------ C:\WINDOWS\system32\hodvxtdo.dll
2007-11-12 00:10 79,936 --a------ C:\WINDOWS\system32\isydcqrn.dll
2007-11-12 00:09 71,232 --a------ C:\WINDOWS\system32\ortdxnti.exe
2007-11-11 23:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-11 21:05 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-11 21:05 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-11 21:05 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-11 21:05 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-11 21:05 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-11 21:05 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-11 21:05 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-11 21:05 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-11 09:43 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-11-11 09:40 <DIR> d-------- C:\Program Files\SpywareDetector
2007-11-11 09:40 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-11-11 09:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-11 09:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-11 09:40 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-11-11 09:40 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-11-11 09:40 6,144 --a------ C:\WINDOWS\system32\SDEarlyDelete.exe
2007-11-11 09:37 7,327,392 --a------ C:\Program Files\spywaredetector.exe
2007-11-11 04:43 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2007-11-11 04:42 2,038,221 --a------ C:\Program Files\ASRLSetup.exe
2007-11-11 04:01 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-10 23:41 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-10 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 23:17 7,467,056 --a------ C:\Program Files\spybotsd15.exe
2007-11-10 22:02 81,472 --a------ C:\WINDOWS\system32\oaorbfgd.dll
2007-11-10 22:02 71,232 --a------ C:\WINDOWS\system32\mctspuaj.exe
2007-11-10 22:02 7,076 --a------ C:\WINDOWS\system32\fmxipmdf.dll
2007-11-10 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-10 21:44 <DIR> d-------- C:\Temp
2007-11-10 09:47 32 --ahs---- C:\WINDOWS\system32\{D8893437-A686-4068-880F-35FD8FF988FC}.dat
2007-11-10 09:47 32 --ahs---- C:\WINDOWS\{2AF8D091-486B-4FD1-B691-298BF14496E9}.dat
2007-11-10 09:46 14 --a------ C:\WINDOWS\system32\SR2.dat
2007-11-10 09:44 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-10 09:44 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-10 09:43 <DIR> d-------- C:\Documents and Settings\user\Application Data\Symantec
2007-11-10 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-10 09:41 <DIR> d-------- C:\Program Files\Symantec
2007-11-10 09:40 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-11-10 09:40 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-10 08:44 153,164 --a------ C:\WINDOWS\system32\nnnom.dll
2007-11-10 08:43 19,968 --a------ C:\WINDOWS\system32\winjgs32.dll
2007-11-10 08:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-09 20:31 <DIR> d-------- C:\DVD_VIDEO
2007-11-09 20:16 <DIR> d-------- C:\Documents and Settings\user\VIDEO_TS
2007-11-09 20:16 <DIR> d-------- C:\Documents and Settings\user\AUDIO_TS
2007-11-09 20:05 <DIR> d-------- C:\Program Files\DVD Shrink
2007-11-09 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-09 20:04 1,117,491 --a------ C:\Program Files\dvdshrink32setup.exe
2007-11-08 18:23 857,583 --a------ C:\Program Files\DVD Decoder Pack for Windows XP Media Player.zip
2007-11-08 16:25 <DIR> d-------- C:\Documents and Settings\user\Shared
2007-11-08 16:25 <DIR> d-------- C:\Documents and Settings\user\Incomplete
2007-11-08 12:49 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-08 12:49 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-08 12:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-08 12:47 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-07 18:22 <DIR> d-------- C:\WINDOWS\Sun
2007-11-05 15:55 <DIR> d-------- C:\Documents and Settings\user\Application Data\DivX
2007-11-05 01:11 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-11-05 01:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-11-02 00:27 <DIR> d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2007-11-01 17:45 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-11-01 17:45 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-11-01 17:22 <DIR> d-------- C:\Program Files\mpeg-2_codec
2007-11-01 17:16 <DIR> d-------- C:\Documents and Settings\user\Application Data\Media Player Classic
2007-11-01 14:36 <DIR> d--hs---- C:\Documents and Settings\user\UserData
2007-11-01 13:04 <DIR> d-------- C:\WINDOWS\Cache
2007-11-01 13:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-31 12:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-30 14:15 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ahead
2007-10-30 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-30 14:11 <DIR> d-------- C:\Program Files\Nero
2007-10-30 14:11 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-10-26 16:15 <DIR> d-------- C:\Documents and Settings\user\Application Data\Template
2007-10-26 14:53 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-25 10:23 <DIR> d-------- C:\Program Files\Motorola
2007-10-25 10:23 984,832 -ra------ C:\WINDOWS\system32\drivers\smserial.sys
2007-10-25 10:23 196,608 -ra------ C:\WINDOWS\system32\sm56co6a.dll
2007-10-25 10:23 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-10-25 10:23 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2007-10-24 15:43 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-24 15:37 <DIR> d-------- C:\Program Files\Google
2007-10-18 20:06 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 04:41 278,538 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-11-09 21:33 278,537 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-10-24 03:41 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A20950D-8737-475D-B5F9-156D5B21B817}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50572B04-6F05-41DA-B6CD-5D9119B3DEB4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74A7B6F2-D5DE-49BE-B9DF-7F83B8E427BB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE970959-7671-45EA-AD51-D075A680A772}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1DB4FEA-84E3-477A-BF99-19DC2C4D96EB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 21:22]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-07 17:14]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-11-10 08:33]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-09-17 13:40]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-09-17 13:39]
"74cb20d9"="C:\WINDOWS\system32\ioknyjak.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-07 16:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgs32]
winjgs32.dll 2007-11-10 08:43 19968 C:\WINDOWS\system32\winjgs32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\xxyvw.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 23:02:33 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-11-13 01:45:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 12:33:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-13 12:45:48 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:15 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Trend Micro\HijackThis\Infested.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A20950D-8737-475D-B5F9-156D5B21B817} - (no file)
O2 - BHO: (no name) - {50572B04-6F05-41DA-B6CD-5D9119B3DEB4} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74A7B6F2-D5DE-49BE-B9DF-7F83B8E427BB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE970959-7671-45EA-AD51-D075A680A772} - (no file)
O2 - BHO: (no name) - {D1DB4FEA-84E3-477A-BF99-19DC2C4D96EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [74cb20d9] rundll32.exe "C:\WINDOWS\system32\ioknyjak.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.southwestcc.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194685754477
O20 - Winlogon Notify: winjgs32 - C:\WINDOWS\SYSTEM32\winjgs32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

--
End of file - 6294 bytes

Jarabara · Nov 13, 2007

jeez i always forget something

forgot to mention, teatimer from spybot had to offer me accept/decline shanges about 25 times this morning. Not exaggerating. I re-enabled teatimer after doing the logs you needed.

Jarabara · Nov 13, 2007

maxsecure spyware detector

I ran most of a scan by this program, it told me the following:

Trojan dropper in:

C:/WINDOWS/system32/kaspersky lab/kaspersky online scan…a0ef286b84892721d365bc9260c63bb8
Looked for it manually but couldn’t find it.

13 Trojan agents, mostly in Microsoft mssmger

12 files listed as Adware.Mirar mostly in windows .currentve

2 files under fake anti-spy ware ‘win fixer’, one in hkey_local_machine/software/classes/drive/shellex/contex and another in hkey_local_machine/software/classes/directory/shellex/co….

I did a windows explorer search for win fixer but it crashed.

2 items listed under Trojan start page:

And backdoor.bifrose, hkey.users/s-1-5-21-602162358-8542425398-1060284298

I stopped the scan because it took so long.

I had to manually severe my internet connection last time I logged in. Just wouldn't disconnect.

Things are running a little smoother but still not good.

Can you tell me what I should have done: Spybot asked me to accept/decline value deleted in system start-up global entry, entry 74cb20d9. I was wondering what to do, thinking I would decline but spybot crashed and i lost the option.

Then i got a message saying : you have chosen to end the nonresponsive program, System settings protector'. I'm sure I wasn't behind that.

Is my system screwed?

Shaba · Nov 13, 2007

Hi

Please disable TeaTimer and keep it disabled until I say when you can re-enable it.

"my paypal and yahoo accounts have been hijacked :-("

Then you should change their passwords using a clean computer and also all other online passwords.

Maxsecure spyware detector really isn't a well-known software and mcafee siteadvisor rates that site as bad so I wouldn't trust its findings at all.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\anqinqng.dll
C:\WINDOWS\system32\sbxasite.dll
C:\WINDOWS\system32\awgnjmxt.dll
C:\WINDOWS\system32\sfpklfih.exe
C:\WINDOWS\system32\vxahdruw.dll
C:\WINDOWS\system32\veexutba.exe
C:\WINDOWS\system32\hodvxtdo.dll
C:\WINDOWS\system32\isydcqrn.dll
C:\WINDOWS\system32\ortdxnti.exe
C:\WINDOWS\system32\oaorbfgd.dll
C:\WINDOWS\system32\mctspuaj.exe
C:\WINDOWS\system32\fmxipmdf.dll
C:\WINDOWS\system32\nnnom.dll
C:\WINDOWS\system32\winjgs32.dll
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\Fonts\svchost.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A20950D-8737-475D-B5F9-156D5B21B817}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50572B04-6F05-41DA-B6CD-5D9119B3DEB4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74A7B6F2-D5DE-49BE-B9DF-7F83B8E427BB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE970959-7671-45EA-AD51-D075A680A772}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1DB4FEA-84E3-477A-BF99-19DC2C4D96EB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=-
"74cb20d9"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjgs32] 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply

Post:

- a fresh HijackThis log
- combofix report
- sdfix report
- uninstall list

Jarabara · Nov 13, 2007

4 new logs - part one

hi Shaba, thanks for getting back to me again. Here are the logs you requested. Hope they're right. I had to reinstall combofix (accidentally pressed 2 - decline terms)

ComboFix 07-11-08.1 - user 2007-11-13 20:39:02.2 - NTFSx86
Running from: C:\Program Files\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\My Documents\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\anqinqng.dll
C:\WINDOWS\system32\awgnjmxt.dll
C:\WINDOWS\system32\fmxipmdf.dll
C:\WINDOWS\system32\hodvxtdo.dll
C:\WINDOWS\system32\isydcqrn.dll
C:\WINDOWS\system32\mctspuaj.exe
C:\WINDOWS\system32\nnnom.dll
C:\WINDOWS\system32\oaorbfgd.dll
C:\WINDOWS\system32\ortdxnti.exe
C:\WINDOWS\system32\sbxasite.dll
C:\WINDOWS\system32\sfpklfih.exe
C:\WINDOWS\system32\veexutba.exe
C:\WINDOWS\system32\vxahdruw.dll
C:\WINDOWS\system32\winjgs32.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\anqinqng.dll
C:\WINDOWS\system32\awgnjmxt.dll
C:\WINDOWS\system32\fmxipmdf.dll
C:\WINDOWS\system32\hodvxtdo.dll
C:\WINDOWS\system32\isydcqrn.dll
C:\WINDOWS\system32\mctspuaj.exe
C:\WINDOWS\system32\nnnom.dll
C:\WINDOWS\system32\oaorbfgd.dll
C:\WINDOWS\system32\ortdxnti.exe
C:\WINDOWS\system32\sbxasite.dll
C:\WINDOWS\system32\sfpklfih.exe
C:\WINDOWS\system32\veexutba.exe
C:\WINDOWS\system32\vxahdruw.dll
C:\WINDOWS\system32\winjgs32.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-13 20:33 1,539,258 --a------ C:\Program Files\ComboFix.exe
2007-11-13 12:11 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-13 11:12 115,712 --a------ C:\Program Files\VundoFix.exe
2007-11-12 04:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-12 04:39 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-11-11 23:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-11 21:05 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-11 21:05 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-11 21:05 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-11 21:05 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-11 21:05 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-11 21:05 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-11 21:05 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-11 21:05 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-11 09:43 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-11-11 09:40 <DIR> d-------- C:\Program Files\SpywareDetector
2007-11-11 09:40 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-11-11 09:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-11 09:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-11 09:40 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-11-11 09:40 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-11-11 09:40 6,144 --a------ C:\WINDOWS\system32\SDEarlyDelete.exe
2007-11-11 09:37 7,327,392 --a------ C:\Program Files\spywaredetector.exe
2007-11-11 04:43 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2007-11-11 04:42 2,038,221 --a------ C:\Program Files\ASRLSetup.exe
2007-11-11 04:01 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-10 23:41 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-10 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 23:17 7,467,056 --a------ C:\Program Files\spybotsd15.exe
2007-11-10 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-10 21:44 <DIR> d-------- C:\Temp
2007-11-10 09:47 32 --ahs---- C:\WINDOWS\system32\{D8893437-A686-4068-880F-35FD8FF988FC}.dat
2007-11-10 09:47 32 --ahs---- C:\WINDOWS\{2AF8D091-486B-4FD1-B691-298BF14496E9}.dat
2007-11-10 09:46 14 --a------ C:\WINDOWS\system32\SR2.dat
2007-11-10 09:44 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-10 09:44 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-10 09:43 <DIR> d-------- C:\Documents and Settings\user\Application Data\Symantec
2007-11-10 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-10 09:41 <DIR> d-------- C:\Program Files\Symantec
2007-11-10 09:40 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-11-10 09:40 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-10 08:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-09 20:31 <DIR> d-------- C:\DVD_VIDEO
2007-11-09 20:16 <DIR> d-------- C:\Documents and Settings\user\VIDEO_TS
2007-11-09 20:16 <DIR> d-------- C:\Documents and Settings\user\AUDIO_TS
2007-11-09 20:05 <DIR> d-------- C:\Program Files\DVD Shrink
2007-11-09 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-09 20:04 1,117,491 --a------ C:\Program Files\dvdshrink32setup.exe
2007-11-08 18:23 857,583 --a------ C:\Program Files\DVD Decoder Pack for Windows XP Media Player.zip
2007-11-08 16:25 <DIR> d-------- C:\Documents and Settings\user\Shared
2007-11-08 16:25 <DIR> d-------- C:\Documents and Settings\user\Incomplete
2007-11-08 12:49 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-08 12:49 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-08 12:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-08 12:47 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-07 18:22 <DIR> d-------- C:\WINDOWS\Sun
2007-11-05 15:55 <DIR> d-------- C:\Documents and Settings\user\Application Data\DivX
2007-11-05 01:11 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-11-05 01:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-11-02 00:27 <DIR> d-------- C:\Documents and Settings\user\Application Data\AdobeUM
2007-11-01 17:45 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-11-01 17:45 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-11-01 17:22 <DIR> d-------- C:\Program Files\mpeg-2_codec
2007-11-01 17:16 <DIR> d-------- C:\Documents and Settings\user\Application Data\Media Player Classic
2007-11-01 14:36 <DIR> d--hs---- C:\Documents and Settings\user\UserData
2007-11-01 13:04 <DIR> d-------- C:\WINDOWS\Cache
2007-11-01 13:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-31 12:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-30 14:15 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ahead
2007-10-30 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-30 14:11 <DIR> d-------- C:\Program Files\Nero
2007-10-30 14:11 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-10-26 16:15 <DIR> d-------- C:\Documents and Settings\user\Application Data\Template
2007-10-26 14:53 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-25 10:23 <DIR> d-------- C:\Program Files\Motorola
2007-10-25 10:23 984,832 -ra------ C:\WINDOWS\system32\drivers\smserial.sys
2007-10-25 10:23 196,608 -ra------ C:\WINDOWS\system32\sm56co6a.dll
2007-10-25 10:23 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-10-25 10:23 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2007-10-24 15:43 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-24 15:37 <DIR> d-------- C:\Program Files\Google
2007-10-18 20:06 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 03:41 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{004A0FE4-085B-4CE1-8BE1-B6B47AAC7E64}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 21:22]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-07 17:14]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23]
"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-09-17 13:40]
"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-09-17 13:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-07 16:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-06-20 22:21:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrspqq]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 23:02:33 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-11-13 09:48:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 20:49:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-13 20:56:26 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-13 12:45
.
--- E O F ---

SDFix: Version 1.114

Run by user on Tue 11/13/2007 at 09:07 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Folder C:\WINDOWS\Fonts\' - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 21:17:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

Thu 8 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 13 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 26 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT1.tmp"

Finished!

Jarabara · Nov 13, 2007

4 new logs - part two

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:12 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\Infested.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {004A0FE4-085B-4CE1-8BE1-B6B47AAC7E64} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.southwestcc.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194685754477
O20 - Winlogon Notify: rqrspqq - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

--
End of file - 5770 bytes

uninstall log

Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Advanced Spyware Remover Free Edition
DVD Decoder Pak for Windows XP
DVD Shrink 3.2
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Kaspersky Online Scanner
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Motorola SM56 Speakerphone Modem
Nero 7 Essentials
Norton AntiVirus 2003
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Spybot - Search & Destroy
Spyware Detector
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781

Shaba · Nov 13, 2007

Hi

As for Spyware Detector, see here
and decide whether or not you like to keep it.

Open HijackThis, click do a system scan only and checkmark this:

O20 - Winlogon Notify: rqrspqq - C:\WINDOWS\

Close all windows including browser and press fix checked.

Reboot

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

Jarabara · Nov 13, 2007

new logs - think we still got trouble

Hi Shaba, you were very speedy getting back to me that time :bigthumb:

Trend Micro HijackThis v2.0.2
Scan saved at 10:16:22 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\Infested.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {004A0FE4-085B-4CE1-8BE1-B6B47AAC7E64} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.southwestcc.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194685754477
O20 - Winlogon Notify: rqrspqq - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

--
End of file - 5253 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 13, 2007 11:24:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/11/2007
Kaspersky Anti-Virus database records: 457486
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 19624
Number of viruses found: 4
Number of infected objects: 24
Number of suspicious objects: 0
Duration of the scan process: 00:53:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35cd4ee885e31936bc750ba0f05f6ecb_48d14704-1025-4922-a76e-dd8283126d8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8170f6a9d2c200b0165d849d2b7ab385_48d14704-1025-4922-a76e-dd8283126d8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Ahead\Nero Home\idx\_16s.cfs Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Identities\{2A78B198-47EE-4F51-8731-A97F2923CB26}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Identities\{2A78B198-47EE-4F51-8731-A97F2923CB26}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Identities\{2A78B198-47EE-4F51-8731-A97F2923CB26}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007111320071114\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\WKSE7.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~Qil3017.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~Qil3961.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\073528BE Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\Norton AntiVirus\Quarantine\1114022B.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Program Files\Norton AntiVirus\Quarantine\404B0061.vir Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\Norton AntiVirus\Quarantine\427A11CB.vir Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\Norton AntiVirus\Quarantine\42847053.vir Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\Norton AntiVirus\Quarantine\5140681F Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Program Files\Norton AntiVirus\Quarantine\6C827911.vir Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\Norton AntiVirus\Quarantine\768C0C7E Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\Norton AntiVirus\Quarantine\78F83D8B Infected: Trojan.Win32.Agent.qt skipped
C:\Program Files\Norton AntiVirus\Quarantine\798820A7.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\qoobox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\qoobox\Quarantine\C\WINDOWS\Fonts\svchost.exe.vir Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\mctspuaj.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ortdxnti.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sfpklfih.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\veexutba.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP32\A0006269.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP32\A0006270.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP32\A0006276.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP32\A0006279.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP32\A0006281.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP32\A0006282.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{E3A36192-D37A-4493-B742-1468987AEAB9}\RP32\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Fonts\a.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\WINDOWS\Fonts\a.zip ZIP: infected - 1 skipped
C:\WINDOWS\ModemLog_Motorola SM56 Speakerphone Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Jarabara · Nov 13, 2007

firefox/opera browser?

Um, don't think I use either....what are they exactly?

BTW, when you first said you weren't keen on spyware detector, I deleted it after producing the 4 logs you asked for. I'm trusting you to tell me what to download and do, so I figured I should trust your opinion of software.

I disabled teatimer again.

Thanks.

Shaba · Nov 13, 2007

Hi

"Um, don't think I use either....what are they exactly?"

Alternative browsers for IE.

Open HijackThis, click do a system scan only and checkmark this:

O20 - Winlogon Notify: rqrspqq - C:\WINDOWS\

Close all windows including browser and press fix checked.

Empty these folders:

C:\Program Files\Norton AntiVirus\Quarantine
C:\qoobox\Quarantine\

Delete this:

C:\WINDOWS\Fonts\a.zip

Empty Recycle Bin

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

Jarabara · Nov 13, 2007

Reckon I should change my login to 'infested no more!'

:heart: I think I love you Shaba. Thank-you. My friend told me I would never be rid of those pesky spies, and I panicked a bit. You're a genius.

Lesson learned - wont be using P2P again. Thanks for saving me from my stupidity!

Norton is happy. What next?

Shaba · Nov 13, 2007

Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You can remove all tools we used.

If Norton doesn't have a firewall, install one from below:

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo
2) Sunbelt/Kerio
3) Agnitum
4) ZoneAlarm

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Jarabara · Nov 13, 2007

thanks again

read the article yesterday. Know it was my own silly fault. WONT be doing that again. Big gratitude

Jarabara · Nov 15, 2007

Hi Shaba

Sorry to bother you again. I'm having trouble downloading Adaware. Tried 3 or 4 site and tried to download about 9 times. Download either stops 48% through, or completes but has corrupted files. Is it down to my new firewall (comodo), or do you know of a general problem?

Trojan nebular and downloader eeek!

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

Member of Team Spybot

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member