Afftected with Smitfraud-C and LockSky.Nag

**sanjuv999** · 2007-07-06, 08:09

Hi,
I am infected with Smitfraud-c and Locksky.Nag according to Spybot.I have wasted 2 days on trying to solve this.Someone please help me.Now when I shutdown my system it shows an exception that it can't read a particular memory.I have Windows XP Sp2,ZoneAlarm 7.0,XoftSpySe 4.31,Avast Antivirus 4.7
================
The startup of spybot1.4 (updated to the latest definition) is full of "instcat.dll","c:\windows\system32\mljgh.dll","pmnmkkh.dll" and some other.THe BrowserHelpObjects of Spybot shows "mljgh.dll" and "pmnmkkh.dll".
The ActiveX shows "c:\Windows\Downloaded Program Files\erma.inf" I wonder what is that...
================
The HJT log is posted below....

Logfile of HijackThis v1.99.1
Scan saved at 10:33:10 AM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\hkcmd.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
================
Zone-Alarm complains of "not-a-virus:Adware.Win32.Virtumonde.jp" which it is unable to repair
================
Norton 2007,Avast were useless...Even the claims made by XoftSpyse that it can remove "smitfraud-c" and "Locksky.Nag" were useless"

**sanjuv999** · 2007-07-06, 11:34

Ok,I uninstalled ZoneAlarm,Norton 15 days trial 2007,Internet Explorer7,and its updates.Installed Opera 9,CCleaner.Ran CCleaner and removed whatever it reported.Renamed HJT to Scan.Now the log shows the dll's which were NOT being reported before.Even though I fix the files(shown below) in HJT in Safe Mode,it still returns...

O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\pmnmkkh.dll
O2 - BHO: (no name) - {F8796942-7C16-49A7-96F3-9DB822E6443E} - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: pmnmkkh - C:\WINDOWS\SYSTEM32\pmnmkkh.dll

The above are the list of files that I checked to delete.But they still appear...

Heres the latest HJT log....
=====================================
Logfile of HijackThis v1.99.1
Scan saved at 2:40:26 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\scan.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\pmnmkkh.dll
O2 - BHO: (no name) - {F8796942-7C16-49A7-96F3-9DB822E6443E} - C:\WINDOWS\system32\mljgh.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O20 - Winlogon Notify: pmnmkkh - C:\WINDOWS\SYSTEM32\pmnmkkh.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)

**sanjuv999** · 2007-07-06, 12:53

I ran ComboFix.Now Spybot does not detetct Smitfraud-c,etc during scan.Instead at "System Startup" of Spybot,I ALWAYS get these
"instcat.dll","c:\windows\system\32\mljgh.dll",etc and they are unchecked!!!
Even if I delete them,they still reappear.
------------------------------------------------------------------------

"VSINE0003" - 2007-07-06 15:14:19 - ComboFix 07-07-04.4 - Service Pack 2

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\adktunwp.dll
C:\WINDOWS\system32\hlivybgm.dll
C:\WINDOWS\system32\mgbyvilh.ini
C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\pmnmkkh.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\TEMP
C:\Program Files\Common Files\{78D80~1

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ASC3550U
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_DOMAINSERVICE
-------\asc3550u
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))

2007-07-06 15:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-06 14:06 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\Opera
2007-07-06 14:05 <DIR> d-------- C:\Program Files\Opera
2007-07-06 13:48 <DIR> d-------- C:\!KillBox
2007-07-06 12:38 <DIR> d-------- C:\Program Files\CCleaner
2007-07-06 12:35 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-07-06 09:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MailFrontier
2007-07-06 03:09 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-05 22:15 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-05 22:15 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-05 22:15 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-05 22:15 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-05 22:15 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-05 22:15 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-05 22:15 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-05 22:14 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-05 15:36 512 --a------ C:\ScanSectorLog.dat
2007-07-05 15:25 39,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-05 15:25 1,458,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-05 14:14 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-07-05 14:14 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-04 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-04 11:28 <DIR> d-------- C:\Program Files\BitComet
2007-07-04 09:42 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-02 17:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-29 12:58 <DIR> d-------- C:\WINDOWS\pss
2007-06-28 15:04 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-06-28 15:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-06-26 18:33 <DIR> d-------- C:\WINDOWS\PrimoPDF
2007-06-26 18:33 <DIR> d-------- C:\Program Files\activePDF
2007-06-26 16:44 <DIR> d-------- C:\Program Files\EMS
2007-06-26 10:42 <DIR> d-------- C:\Program Files\SQLyog Community
2007-06-26 10:42 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\SQLyog
2007-06-25 17:00 <DIR> d-------- C:\Program Files\Intelligent Converters
2007-06-25 16:29 <DIR> d-------- C:\Program Files\MySQL Query Analyzer
2007-06-25 14:24 1,952 --a------ C:\WINDOWS\Sysvm32.dll
2007-06-25 10:56 <DIR> d-------- C:\Program Files\MySQL
2007-06-21 00:37 <DIR> d-------- C:\zip
2007-06-21 00:33 <DIR> d-------- C:\unzip
2007-06-20 23:47 <DIR> d-------- C:\xpdf-3.02-win32
2007-06-20 23:32 <DIR> d-------- C:\antiword
2007-06-20 20:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-06-20 18:00 <DIR> d-------- C:\xampp-win32-1.5.1
2007-06-18 14:19 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\MySQL
2007-06-15 16:32 <DIR> d-------- C:\Program Files\Zards software
2007-06-08 16:09 796,672 --a------ C:\WINDOWS\GPInstall.exe
2007-06-08 15:51 <DIR> d-------- C:\WINDOWS\Paltalk Messenger

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 04:51:40 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-05 13:52:21 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Windows NT
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Movie Maker
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Messenger
2007-06-29 06:18:21 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-06-26 05:54:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-01 10:46:22 152,064 ----a-w C:\WINDOWS\system32\isys32.exe
2007-05-30 11:53:40 -------- d-----w C:\Program Files\Common Files\Merge Modules
2007-05-30 11:44:34 -------- d-----w C:\Program Files\Microsoft Visual Studio .NET 2003
2007-05-30 11:16:48 -------- d-----w C:\Program Files\HTML Help Workshop
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-07 05:15:52 -------- d-----w C:\Program Files\Common Files\Vbox
2007-05-07 05:15:06 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-07 05:10:11 -------- d-----w C:\Program Files\Common Files\Macromedia Shared
2007-05-04 15:46:09 0 ----a-w C:\WINDOWS\nsreg.dat
2007-05-04 12:54:39 1,920 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-04 05:56:11 138 ----a-w C:\WINDOWS\system32\winser.bin
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi(2).dll
2007-04-16 17:17:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 17:15:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 17:15:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 17:15:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 17:15:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 17:15:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 17:15:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 17:15:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 11:09 C:\WINDOWS\SOUNDMAN.EXE]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-06 18:52]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 21:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:30]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-05-10 16:31]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{65A63651-8AFB-4A2B-AC75-CB4C68B0DDB0}"="C:\Program Files\Common Files\System\mshexthk.dll" [2002-08-13 15:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\svchen.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee442-f15a-11db-ac14-001485fc561f}]
Auto\command- E:\MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06f7df5e-dde5-11db-ac09-001485fc561f}]
1\Command- E:\.\RECYCLER\RECYCLER\autorun.exe
2\Command- E:\.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

Contents of the 'Scheduled Tasks' folder
2007-07-05 21:39:28 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-05 21:39:28 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 15:27:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mysql]
"ImagePath"="C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt --defaults-file=C:\xampp-win32-1.5.1\xampp\mysql\bin\my.cnf mysql"

Completion time: 2007-07-06 15:29:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-06 15:29

--- E O F ---
==========================================================

HJT Log starts here

=====================================================
Logfile of HijackThis v1.99.1
Scan saved at 16:11, on 2007-07-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\scan.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)

**sanjuv999** · 2007-07-07, 08:24

Waiting for your suggestion

**pskelley** · 2007-07-07, 13:17

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.

Waiting for your suggestion

I suggest you start be reading the directions posted above which is also posted at the top of the forum. If you still have malware issues, please do this:

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2) I need to know what this file is: C:\WINDOWS\system32\svchen.dll
Use one or more of these free online scanners to find out and post the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
You will probably have to enabled hidden files and folders to see the file:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

3) Please tell me what your malware problems are. If you receive error messages, post those word for word.

4) Post a new HJT log, the information I requested and nothing else unless you have comments that will help.

Thanks

**sanjuv999** · 2007-07-09, 06:52

Hi,
I have read the instructions for posting.I have created the folder HJT in "C:\" with the file "HijackThis.exe" in that folder.Well,after enabling the Hidden files and folder,I am unable to find the "svchen.dll"!!!.
Ok,my problem was that I had "Smitfraud-c" and "Locksky.Nag".But after following the post by other users,the "Smitfraud-c" and "Locksky.Nag" no longer appear in the Spybot manual scan.But now in Spybot->Tools->System start-up,I get a set of weird stuff's as start-up's in the "System.ini" key.I mean weird because they are not in English,they are in some vertical lines with "@" character folllowed by "8".In addition to that,they also contain the files "instcat.dll" and "pmnmkkh.dll" and "C:\Windows\System32\mljgh.dll".
There is also a "WgaLogon" with No commandline value.All the above said entries are in bold.Here's the catch,the above said entries are "unchecked" in the "System start-up" of "Spytbot" and are present in "System.ini".Now even if I delete these unchecked values,they still reappear in the Start-up of Spybot in System.ini as unchecked values!!!.If you need a bitmap of what I am saying I will be glad to do so.
However I have posted a new HJT log and a Kaspersky online scan log.Note the Kaspersky log..it contains something helpful.
=============================================================
Logfile of HijackThis v1.99.1
Scan saved at 09:42, on 2007-07-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)

==================================================
Kaspersky online scanner log
---------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-07-09 08:58
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 6/07/2007
Kaspersky Anti-Virus database records: 358938
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
V:\

Scan Statistics:
Total number of scanned objects: 203289
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 04:21:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_5b9da10f-f644-4869-bdec-e4cb5daab1c5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\704aa8cd95d47ee56588259239842af6_5b9da10f-f644-4869-bdec-e4cb5daab1c5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db5ded2d438f52841c9522b30cdd83f9_5b9da10f-f644-4869-bdec-e4cb5daab1c5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7fc.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Simple user interface.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_366.trc Object is locked skipped
C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip/Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a skipped
C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnmkkh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_1e4.dat Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_584.dat Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\access.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\error.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\ssl_request.log Object is locked skipped

Scan process completed.

**pskelley** · 2007-07-09, 14:43

Thanks for the information and the feedback, google knows nothing about this item:
http://www.google.com/search?hl=en&q...=Google+Search and I can't search it from here, so we will delete it.

The files you mention with the stange .dll's, If you recently removed Vundo without Vundofix, this is a good possiblity. We will run combofix, it is good about picking up leftover Vundo.
It may also remove this item: O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll but try this first:

How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tuto...42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\svchen.dll or copy/paste it to the tool and click on it once, and then click on the Open button. You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

KASPERSKY ONLINE SCANNER REPORT 2007-07-09 08:58

C:\QooBox\Quarantine\ <<< please delete that folder in red and any other combofix you have on your computer. I wish to run it again, but I want a new download.

I would delete these infected files and read the information in the link:
C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip/Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a skipped
C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip ZIP: infected - 1 skipped
http://forums.spybot.info/showthread.php?t=282 <<< see this

Spybot: would you check to make sure your version of Spybot is totally up tp date an fully immunized. Then run a scan and let me know what it finds that it can not remove. I may need to see the scan report, I will let you know once I get feedback from you.
I would also appreciate it if you would open the "Recovery" folder and delete the contents.

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HijackThis log.
add any information I requested and any comments you think will help.

Thanks

**sanjuv999** · 2007-07-11, 06:03

Hi

I did run VundoFix at the early stages of the post to see if it would fix the affected files.But after the scan,no such files were reported by the tool.
I deleted
1)C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip/Share.exe Infected: not-a-virus:Client-P2P.Win32.Share.a skipped
2)C:\Projects\EVEPS\MyDocuments\Share\Share 1.0 EX2 [Share-france.info].zip ZIP: infected - 1 skipped
3)C:\QooBox\Quarantine\
4)ComboFix files
Now coming to HJT,I gave the file "C:\WINDOWS\SYSTEM32\svchen.dll" delete on reboot,but to no avail.It has come back in the fresh HJT log.
I ran ComboFix.exe.I installed IE7.0 and it's updates and uninstalled Opera 9 as Kaspersky depends on IE6 and above.I then installed Kaspersky ActiveX and updates and ran a fresh online scan.Spybot(V1.4) is totally up-to-date(new updates) and is fully immunized.It is a ritual for me to keep it that way every day.This time strangely Spybot has detected something.I have posted the ComboFix log,HJT log,Kaspersky log,BitDefender Online scan results and
the Spybot log(unchecked "Include uninstall list in report","Include list of services in report",checked "Do not report disabled or known legitimate
items").Do you want a bitmap of my startup in Spybot so that you can see the strange dll's?Here's another trivial point,my time is being displayed in a 24hr format instead of AM/PM.Also my system started getting infected only when a new network was attached to my network.
Avast Antivirus suddenly gave a Message Box saying that it found a malware "Win32:Adware-gen. [Adw]" in my temporary folder.I deleted it.By the way I ran a Trend Micro Online Scan it showed up with malware..ADWARE_MEMWATCHER(94 infections) and TSPY_SMALL(13 infections).Checkout the Spybot log,it contains the weird characters in System.ini.Awaiting your reply eagerly...

==============
Kaspersky Log
==============
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-07-11 08:53
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/07/2007
Kaspersky Anti-Virus database records: 360525
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
V:\

Scan Statistics:
Total number of scanned objects: 309637
Number of viruses found: 1
Number of infected objects: 5 / 0
Number of suspicious objects: 0
Duration of the scan process: 04:37:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_5b9da10f-f644-4869-bdec-e4cb5daab1c5

Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\704aa8cd95d47ee56588259239842af6_5b9da10f-f644-4869-bdec-e4cb5daab1c5

Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db5ded2d438f52841c9522b30cdd83f9_5b9da10f-f644-4869-bdec-e4cb5daab1c5

Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7b4.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\History\History.IE5\MSHist012007071020070711\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Temp\~DF153B.tmp Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\vsine0003.VYUHASOFTWARE\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_371.trc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{16924332-E0C1-4D6F-8189-6B8B5F3655D7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_580.dat Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_7e0.dat Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\access.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\error.log Object is locked skipped
C:\xampp-win32-1.5.1\xampp\apache\logs\ssl_request.log Object is locked skipped
V:\Helpdesk\SysAidServerFree.exe/file0030/data0007 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0030 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0032/data0009 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe/file0032 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
V:\Helpdesk\SysAidServerFree.exe Inno: infected - 4 skipped

Scan process completed.
=============
HJT Log
=============
Logfile of HijackThis v1.99.1
Scan saved at 09:13, on 2007-07-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to stop IIS.lnk = C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\Software\..\Telephony: DomainName = vyuhasoftware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = vyuhasoftware.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchen.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\xampp-win32-1.5.1\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

(file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe"

-sSQLEXPRESS (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt.exe (file missing)
===============================================
BitDefender Online scan results...
=================================
Identified Viruses [ 1 ]
Infected Files [ 3 ]
Disinfected [ 0 ]
Deleted Files [ 3 ]

First Action [ Disinfect ]
Second Action [ Delete ]

C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP12\A0000638.exe [ Infected with: Backdoor.Hupigon.BV ]
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP12\A0000638.exe [ Disinfection failed ]
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP12\A0000638.exe [ Deleted ]

**sanjuv999** · 2007-07-11, 06:07

==================
ComboFix Log
==================
"VSINE0003" - 2007-07-10 10:00:23 - ComboFix 07-07-10.1 - Service Pack 2

((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))

2007-07-10 09:44 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-10 09:37 <DIR> d-------- C:\HJT
2007-07-06 15:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-06 14:06 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\Opera
2007-07-06 14:05 <DIR> d-------- C:\Program Files\Opera
2007-07-06 12:38 <DIR> d-------- C:\Program Files\CCleaner
2007-07-06 12:35 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-07-06 09:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MailFrontier
2007-07-06 03:09 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-05 22:15 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-05 22:15 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-05 22:15 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-05 22:15 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-05 22:15 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-05 22:15 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-05 22:15 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-05 22:14 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-05 15:36 512 --a------ C:\ScanSectorLog.dat
2007-07-05 15:25 39,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-05 15:25 1,458,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-05 14:14 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-07-05 14:14 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-04 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-04 11:28 <DIR> d-------- C:\Program Files\BitComet
2007-07-04 09:42 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-02 17:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-29 12:58 <DIR> d-------- C:\WINDOWS\pss
2007-06-28 15:04 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-06-28 15:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-06-26 18:33 <DIR> d-------- C:\WINDOWS\PrimoPDF
2007-06-26 18:33 <DIR> d-------- C:\Program Files\activePDF
2007-06-26 16:44 <DIR> d-------- C:\Program Files\EMS
2007-06-26 10:42 <DIR> d-------- C:\Program Files\SQLyog Community
2007-06-26 10:42 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\SQLyog
2007-06-25 17:00 <DIR> d-------- C:\Program Files\Intelligent Converters
2007-06-25 16:29 <DIR> d-------- C:\Program Files\MySQL Query Analyzer
2007-06-25 14:24 1,952 --a------ C:\WINDOWS\Sysvm32.dll
2007-06-25 10:56 <DIR> d-------- C:\Program Files\MySQL
2007-06-21 00:37 <DIR> d-------- C:\zip
2007-06-21 00:33 <DIR> d-------- C:\unzip
2007-06-20 23:47 <DIR> d-------- C:\xpdf-3.02-win32
2007-06-20 23:32 <DIR> d-------- C:\antiword
2007-06-20 20:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-06-20 18:00 <DIR> d-------- C:\xampp-win32-1.5.1
2007-06-18 14:19 <DIR> d-------- C:\DOCUME~1\VSINE0~1.VYU\APPLIC~1\MySQL
2007-06-15 16:32 <DIR> d-------- C:\Program Files\Zards software

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 04:51:40 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-05 13:52:21 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Windows NT
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Movie Maker
2007-06-29 09:01:19 -------- d-----w C:\Program Files\Messenger
2007-06-29 06:18:21 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-06-26 05:54:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-08 10:39:55 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2007-06-01 10:46:22 152,064 ----a-w C:\WINDOWS\system32\isys32.exe
2007-05-30 11:53:40 -------- d-----w C:\Program Files\Common Files\Merge Modules
2007-05-30 11:44:34 -------- d-----w C:\Program Files\Microsoft Visual Studio .NET 2003
2007-05-30 11:16:48 -------- d-----w C:\Program Files\HTML Help Workshop
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-04 15:46:09 0 ----a-w C:\WINDOWS\nsreg.dat
2007-05-04 12:54:39 1,920 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-04 05:56:11 138 ----a-w C:\WINDOWS\system32\winser.bin
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi(2).dll
2007-04-16 17:17:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 17:15:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 17:15:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 17:15:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 17:15:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 17:15:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 17:15:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 17:15:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 11:09 C:\WINDOWS\SOUNDMAN.EXE]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-06 18:52]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 21:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:30]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-05-10 16:31]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{65A63651-8AFB-4A2B-AC75-CB4C68B0DDB0}"="C:\Program Files\Common Files\System\mshexthk.dll" [2002-08-13 15:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\svchen.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04cee442-f15a-11db-ac14-001485fc561f}]
Auto\command- E:\MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06f7df5e-dde5-11db-ac09-001485fc561f}]
1\Command- E:\.\RECYCLER\RECYCLER\autorun.exe
2\Command- E:\.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

Contents of the 'Scheduled Tasks' folder
2007-07-06 11:31:39 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-05 21:39:28 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 10:05:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mysql]
"ImagePath"="C:\xampp-win32-1.5.1\xampp\mysql\bin\mysqld-nt --defaults-file=C:\xampp-win32-1.5.1\xampp\mysql\bin\my.cnf mysql"

Completion time: 2007-07-10 10:06:21

--- E O F ---

**sanjuv999** · 2007-07-11, 06:08

==========
Spybot log
===========

--- Search result list ---
Statcounter: Tracking cookie (Internet Explorer: VSINE0003) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: VSINE0003) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: VSINE0003) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-07-06 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/917283
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/922770
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB815304
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885222
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB886199
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Hotfix for Windows XP (KB895246)
/ Windows XP / SP3: Hotfix for Windows XP (KB896344)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917537)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Update for Windows XP (KB920342)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922760)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Update for Windows XP (KB925876)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926247)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)

--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 40048
MD5: 66d4456c920e21bd2188f8cc33680df5

Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 75392
MD5: 41b88784128c1eb3a24a928ce58b2455

Located: HK_LM:Run, SetRefresh
command: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
file: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
size: 524800
MD5: 733529e61ff992cc97e7e27ed0aaaeed

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 90112
MD5: 8dcf5e6334eea54336c93a6f0d8ceeb8

Located: HK_LM:RunOnceEx, Register Homesite+.exe
command: "C:\Program Files\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER
file: C:\Program Files\Macromedia\HomeSite+\Homesite+.exe
size: 2254848
MD5: 140e5c68a673ee5a09fdefb6a914d05b

Located: HK_CU:Run, ccleaner
command: "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
file: C:\Program Files\CCleaner\ccleaner.exe
size: 598920
MD5: 02dc8f8fdc55ffe0a7ae6626bdd3f850

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 57cb86b1cdd77eb5138ba05d1f193463

Located: Startup (user), Shortcut to stop IIS.lnk
command: C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
file: C:\Documents and Settings\vsine0003.VYUHASOFTWARE\Desktop\stop IIS.bat
size: 118
MD5: 7c17166a45d2275c3177ae22e481faa6

Located: System.ini, (˜ (DISABLED)
command: (˜
file: (˜

Located: System.ini, instcat (DISABLED)
command: instcat.dll
file: instcat.dll

Located: System.ini, mljgh (DISABLED)
command: C:\WINDOWS\system32\mljgh.dll
file: C:\WINDOWS\system32\mljgh.dll

Located: System.ini, pmnmkkh (DISABLED)
command: pmnmkkh.dll
file: pmnmkkh.dll

Located: System.ini, WgaLogon (DISABLED)
command:
file:

Located: System.ini, Àpx€ (DISABLED)
command: Àpx€
file: Àpx€

Located: System.ini, ø¨°€ (DISABLED)
command: ø¨°€
file: ø¨°€

Located: System.ini, ˆ8@€ (DISABLED)
command: ˆ8@€
file: ˆ8@€

Located: System.ini, ˆ8@€ (DISABLED)
command: ˆ8@€
file: ˆ8@€

Spybot log continues in next log...

Thread: Afftected with Smitfraud-C and LockSky.Nag

Thread Tools

Display

Afftected with Smitfraud-C and LockSky.Nag

Latest update on what I have done so far

Combo Fix and HJT Log and new development

Expets please help....what do I do next?

Updated log's as requested

Log files attached(Part1)

Log files(Part2)

Log files(Part3)

Posting Permissions