Virtumonde...is driving me crazy

**DistantStar** · 2007-09-13, 06:39

I used this computer for my work and right now it's practically useless. I followed the things to do first but was unable to complete the Kaspersky scan two different times. The IE window just suddenly closed after about 2 hours runtime. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:22 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\RssReader\RssReader.exe
C:\Garmin\gStart.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\COMMON~1\STEM32~1\nslookup.exe
C:\WINDOWS\system32\??curity\u?erinit.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C1BFE80-6B45-7AC6-6724-4D71C27293BC} - C:\WINDOWS\system32\pgr.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - C:\Program Files\Ovawrgte\asqetbcz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [wzaxqjyf] rundll32.exe "C:\Program Files\wzaxqjyf\kzitcfux.dll",Init
O4 - HKLM\..\Run: [wjwzqnuh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\wjwzqnuh.dll"
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\bpatterson\smss.exe
O4 - HKCU\..\Run: [Weed] "C:\PROGRA~1\COMMON~1\STEM32~1\nslookup.exe" -vt ndrv
O4 - HKCU\..\Run: [Iqn] C:\WINDOWS\system32\??curity\u?erinit.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MSSQL$PARAGON.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.line6.net
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://waco.fnismls.com/Paragon/Code...intControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1127537344406
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mainstreetval.com/ImageUploader4.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O20 - AppInit_DLLs: systems.txt
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\BPATTE~1\LOCALS~1\Temp\~~install.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 9707 bytes

**Angelfire777** · 2007-09-13, 16:06

Hi, welcome to Safer Networking!

I used this computer for my work and right now it's practically useless

With the amount of infections you have, you're right.

Is your Norton product up to date with its definitions? It's definitely not doing its job.
=======

*Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

*Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Reboot when done.
_______

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

_______

Download combofix.exe

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
_______

HJT Uninstall list

Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.

On your next reply, please include a

Fresh HijackThis log.
HJT Uninstall list
Combofix log.
SDFix log.

**DistantStar** · 2007-09-13, 17:06

The Norton's is supposedly up to date but obviously not doing an adequate job. I searched in the Add/Remove Progs but did not find any of the ones you listed or any of the potential OI ones. I had previously removed some entries that I did not install, some sort of games but don't recall the suite having a -OI on them.

Anyway, I ran the SDFix and here is the log:

SDFix: Version 1.104

Run by bpatterson on Thu 09/13/2007 at 09:31 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
ICF
msupdate

ImagePath:
C:\WINDOWS\system32\svchost.exe:exe.exe
c:\windows\system32\msvcrtd.exe

ICF - Deleted
msupdate - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...

Service asc355 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\bpatterson\Local Settings\Temp\ttsetup.tmp.exe - Deleted
C:\WINDOWS\Temp\win136.tmp.exe - Deleted
C:\WINDOWS\Temp\win138.tmp.exe - Deleted
C:\WINDOWS\Temp\win136.tmp.exe - Deleted
C:\WINDOWS\Temp\win138.tmp.exe - Deleted
C:\Program Files\Setup.exe - Deleted
C:\wintemp.log - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\system32\drivers\asc355.sys - Deleted

Folder C:\Documents and Settings\All Users\Documents\Settings - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
: ADS Found!

svchost.exe: deleted 51200 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Finished!

Moving on to the rest of your instructions...already better and thanks a TON for the help!

**DistantStar** · 2007-09-13, 18:18

Here is the ComboFix log. Will run and post the HJT log next...

ComboFix 07-09-13.3 - "bpatterson" 2007-09-13 10:50:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.82 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\ngdgtine.dll
C:\DOCUME~1\BPATTE~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\NYS3Q4W9\www.broadcaster.com
C:\DOCUME~1\BPATTE~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\BPATTE~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\BPATTE~1\MYDOCU~1\SMANTE~1
C:\Program Files\Hhfryvqi
C:\Program Files\Hhfryvqi\drcoolpg.dll
C:\Program Files\Ovawrgte
C:\Program Files\Ovawrgte\asqetbcz.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\SecCenter\scprot4.exe.bak
C:\Program Files\wzaxqjyf
C:\Program Files\wzaxqjyf\kzitcfux.dll
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\wnsintsv.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-13 09:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 09:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-12 23:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-11 14:35 7,680 --a------ C:\sysztoa.exe
2007-09-11 11:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-11 11:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-11 08:33 0 --a------ C:\winxplogon.sys
2007-09-11 08:22 92,672 --a------ C:\WINDOWS\system32\drvrum.dll
2007-09-11 08:22 15,360 --a------ C:\WINDOWS\system32\drvrumr.dll
2007-09-11 08:22 <DIR> d-------- C:\WINDOWS\system32\okqipwgf
2007-09-10 01:37 20,480 --a------ C:\WINDOWS\system32\winmmt32.dll
2007-09-10 01:33 4,002 --a------ C:\Program Files\hlpsrv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 01:32 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-28 14:37 --------- d-------- C:\Program Files\FTP Commander
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 04:52]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 17:56]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2005-11-15 19:44]
"RssReader"="C:\Program Files\RssReader\RssReader.exe" [2004-04-04 17:21]
"gStart"="C:\Garmin\gStart.exe" [2005-07-25 09:05]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-23 09:32:22]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]
MSSQL$PARAGON.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe [2002-12-17 17:23:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]

C:\DOCUME~1\BILLPA~1\STARTM~1\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2005-06-09 14:11:10]

C:\DOCUME~1\BPATTE~1\STARTM~1\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2005-06-09 14:11:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\BPATTE~1\LOCALS~1\Temp\~~install.dll [ ]

R2 MSSQL$PARAGON;MSSQL$PARAGON;C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Binn\sqlservr.exe -sPARAGON
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys
S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys
S3 L6PODLV;PODxt Live Service;C:\WINDOWS\system32\Drivers\L6PODLV.sys
S3 SQLAgent$PARAGON;SQLAgent$PARAGON;C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Binn\sqlagent.EXE -i PARAGON

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43a14656-11d8-11db-b90b-00c09fc5d4ae}]
AutoRun\command- E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2005-11-22 04:57:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 10:59:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?0?4?1??????? ???B?????????????hLC? ??????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-13 11:04:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 11:03
.
--- E O F ---

**DistantStar** · 2007-09-13, 18:26

OK, here is the HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14, on 2007-09-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Garmin\gStart.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Trend Micro\HijackThis\Problems.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MSSQL$PARAGON.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.line6.net
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://waco.fnismls.com/Paragon/Code...intControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1127537344406
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mainstreetval.com/ImageUploader4.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\BPATTE~1\LOCALS~1\Temp\~~install.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 8192 bytes

**DistantStar** · 2007-09-13, 18:28

OK, everything you told me to do is done. Here is the HJT Uninstall List:

50 Greatest Secrets of Digital Photography
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop 5.5
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Chord Warrior Trial (remove only)
Conexant AC-Link Audio
Data Fax SoftModem with SmartCP
Device drivers for Simple Backup
Easy Internet Sign-up
Fretboard IQ
FTP Commander
Garmin Training Center v4
GearBox 2.00 (Remove Only)
Google Earth
Google Toolbar for Internet Explorer
GuitarPort 2.51 (Remove Only)
HatcoAgent7.0a
HijackThis 2.0.2
Hotfix for Windows XP (KB909394)
hp deskjet 3320 series (Remove only)
HP Help and Support
hp instant support
HP Software Update
HP User Guides 0001
HP Wireless Assistant 1.01 A2
IBP 9.0.3
InStitches 2.0
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Kaspersky Online Scanner
Line 6 Edit (remove only)
Line 6 Monkey 1.13 (Remove Only)
LiveUpdate 1.6 (Symantec Corporation)
LucasArts' Jedi Knight
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft ActiveSync 4.0
Microsoft Money 2005
Microsoft Office 2000 Premium
Microsoft Office Standard Edition 2003
Microsoft SQL Server Desktop Engine (PARAGON)
Microsoft Web Publishing Wizard 1.52
Microsoft Works
muvee autoProducer 4.0 - SE
Norton AntiVirus Corporate Edition
palmOne
Paragon MLS Desktop
PODxt Drivers 2.6.8.0 (Remove Only)
PODxt Drivers 3.0.0.4 (Remove Only)
Quick Launch Buttons 5.10 B5
QuickTime
RealPlayer
RiffWorks 1.00 (Remove Only)
RiffWorks Line 6 Edition
RssReader
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Shockwave
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Spybot - Search & Destroy 1.4
SQLXML 3.0
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
The Print Shop 20
Tune Tools for iPod
Ulead COOL 360 1.0
upapp
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
ZipForm Desktop

Things are looking a LOT better. Thanks again for all your help! Awaiting further instructions....

**DistantStar** · 2007-09-14, 15:28

Finally got a Kaspersky scan to finish. Here's the log:

2007-09-14 08:12
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 14/09/2007
Kaspersky Anti-Virus database records: 418126

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
P:\
Q:\

Scan Statistics
Total number of scanned objects 105449
Number of viruses found 25
Number of infected objects 101
Number of suspicious objects 4
Duration of the scan process 03:01:53

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1cad55876b5f108b0a48926513ecc3ef_83bb1a9d-1b89-48fa-8173-a8eda937e99d Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7ed2eae19ea04a5b389ee9b405a80d14_83bb1a9d-1b89-48fa-8173-a8eda937e99d Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aaa421fa07cd7d800d75ab76d6339900_83bb1a9d-1b89-48fa-8173-a8eda937e99d Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eeba08610cf0121653cf3972b5226e58_83bb1a9d-1b89-48fa-8173-a8eda937e99d Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/avp.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde7.zip/win134.tmp.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde7.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00800000.VBN Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00800001.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01140000.VBN Infected: Backdoor.Win32.VB.bhl skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\013C0000.VBN Infected: not-virus:Hoax.Win32.Renos.jh skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\013C0001.VBN Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01480000.VBN Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01480001.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\031C0000.VBN Infected: not-virus:Hoax.Win32.Renos.jg skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\052C0000.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\052C0001.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\056C0004.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05700004.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05780000.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05800000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\061C0000.VBN Infected: Trojan-PSW.Win32.LdPinch.ckg skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06300000.VBN Infected: Trojan-PSW.Win32.LdPinch.ckg skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06300001.VBN Infected: Trojan-PSW.Win32.LdPinch.ckg skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06500000.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06500001.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07EC0000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07F80000.VBN Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07FC0000.VBN Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\082C0000.VBN Infected: Trojan-Downloader.Win32.Tiny.fl skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\082C0001.VBN Infected: Trojan-Downloader.Win32.Tiny.fl skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08300000.VBN/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08300000.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08300000.VBN ZIP: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08300000.VBN CryptZ: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08340000.VBN Infected: Trojan-Downloader.Win32.Tiny.fl skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08380000.VBN Infected: Trojan-Downloader.Win32.Tiny.fl skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09380000.VBN Infected: Trojan-Downloader.Win32.Small.evy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\093C0000.VBN Infected: Trojan-Downloader.Win32.Small.evy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C780000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C780001.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C780002.VBN Infected: not-virus:Hoax.Win32.Renos.jg skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C7C0000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C7C0001.VBN Infected: not-virus:Hoax.Win32.Renos.jg skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D540000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D580000.VBN Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D600000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D600001.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D600002.VBN Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D640000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E3C0000.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E3C0001.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E9C0000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA80000.VBN Infected: Trojan-Dropper.Win32.Delf.agw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA80001.VBN Infected: Trojan-Dropper.Win32.Delf.agw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA80002.VBN Infected: Trojan-Dropper.Win32.Agent.ol skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EEC0000.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\Documents and Settings\bpatterson\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\bpatterson\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\bpatterson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\bpatterson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\bpatterson\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\bpatterson\Local Settings\History\History.IE5\MSHist012007091320070914\index.dat Object is locked skipped

C:\Documents and Settings\bpatterson\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\bpatterson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\bpatterson\My Documents\SpyWare\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped

C:\Documents and Settings\bpatterson\My Documents\SpyWare\OiUninstaller.exe NSIS: infected - 1 skipped

C:\Documents and Settings\bpatterson\ntuser.dat Object is locked skipped

C:\Documents and Settings\bpatterson\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Data\master.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Data\mastlog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Data\model.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Data\modellog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Data\tempdb.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Data\templog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\LOG\ERRORLOG Object is locked skipped

C:\SDFix\SDFix\backups\backups.zip/backups/mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\SDFix\SDFix\backups\backups.zip/backups/setup.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cnc skipped

C:\SDFix\SDFix\backups\backups.zip/backups/setup.exe Infected: Trojan-Downloader.Win32.Zlob.cnc skipped

C:\SDFix\SDFix\backups\backups.zip/backups/win138.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\SDFix\SDFix\backups\backups.zip ZIP: infected - 4 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP309\A0025877.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP309\A0025882.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP309\A0025883.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0026513.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0026520.exe Infected: Packed.Win32.PolyCrypt.d skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0026530.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.ckq skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0026530.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0026590.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP320\A0026594.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP321\A0027702.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cme skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP321\A0027702.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP321\A0028861.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cme skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP321\A0028861.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP323\A0030957.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP323\A0030967.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cme skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP323\A0030967.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP324\A0031051.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP324\A0031061.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cme skipped

**DistantStar** · 2007-09-14, 15:29

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP324\A0031061.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0031138.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0031148.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cme skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0031148.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0032172.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cme skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0032172.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0032186.sys Infected: Trojan-Proxy.Win32.Agent.pa skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0032194.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cnc skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0032194.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0032251.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0032270.sys Infected: Trojan-Proxy.Win32.Agent.pa skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0032292.sys Infected: Trojan-Proxy.Win32.Agent.pa skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0032303.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cnc skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0032303.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033364.exe Infected: Trojan-Downloader.Win32.PurityScan.dx skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033366.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033383.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cnc skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033383.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033384.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033389.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033390.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.cnc skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033390.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP326\A0033393.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP327\change.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drvrum.dll Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\winmmt32.dll Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\Temp\Perflib_Perfdata_cc.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Q:\tools\backups\backup-20070125-131507-245.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

Scan process completed.

**Angelfire777** · 2007-09-15, 02:51

Hi,

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

Did you add these sites in your trusted sites list? If you did, I just want to warn you that when you visit these sites, your computer has a lower level of security when accessing them so it may be potentially dangerous. However, if you didn't add them, you can remove them.

O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.line6.net

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_____

Combofix Deletions

Open notepad."
Copy and paste the text inside the code box below to notepad

Code:

File::
C:\sysztoa.exe
C:\winxplogon.sys
C:\WINDOWS\system32\drvrum.dll
C:\WINDOWS\system32\drvrumr.dll
C:\WINDOWS\system32\winmmt32.dll
C:\Program Files\hlpsrv.exe
C:\Documents and Settings\bpatterson\My Documents\SpyWare\OiUninstaller.exe
Q:\tools\backups\backup-20070125-131507-245.dll

Folder::
C:\WINDOWS\system32\okqipwgf
C:\SDFix

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"=-

Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log

_____

Open the Symantec Control Panel
Click View | Quarantine.
Select the file or group of files.
Do one of the following:

*Right click the file and choose Delete Permanently
*Click the X Delete button.

Click Start Delete
_____

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.

Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Then download Java Runtime Environment 6u2, and install it to your computer.

On your next reply, please include a

Fresh HijackThis log.
A detailed description on how's your machine running.
combofix log

**DistantStar** · 2007-09-15, 16:19

As to these two websites:

O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.line6.net

I did add them to the trusted zone.

And here is the new ComboFix log:

ComboFix 07-09-13.3 - "bpatterson" 2007-09-15 8:52:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.88 [GMT -5:00]
* Created a new restore point

FILE::
C:\sysztoa.exe
C:\winxplogon.sys
C:\WINDOWS\system32\drvrum.dll
C:\WINDOWS\system32\drvrumr.dll
C:\WINDOWS\system32\winmmt32.dll
C:\Program Files\hlpsrv.exe
C:\Documents and Settings\bpatterson\My Documents\SpyWare\OiUninstaller.exe
Q:\tools\backups\backup-20070125-131507-245.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bpatterson\My Documents\SpyWare\OiUninstaller.exe
C:\Program Files\hlpsrv.exe
C:\SDFix
C:\SDFix\SDFix\apps\assosfix.reg
C:\SDFix\SDFix\apps\cliptext.exe
C:\SDFix\SDFix\apps\cpuinfo.exe
C:\SDFix\SDFix\apps\download.exe
C:\SDFix\SDFix\apps\drivers.exe
C:\SDFix\SDFix\apps\dummy.sys
C:\SDFix\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\SDFix\apps\ERDNT.E_E
C:\SDFix\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\SDFix\apps\ERUNT.EXE
C:\SDFix\SDFix\apps\ERUNT.LOC
C:\SDFix\SDFix\apps\fix.reg
C:\SDFix\SDFix\apps\FixBH.reg
C:\SDFix\SDFix\apps\FIXCU.reg
C:\SDFix\SDFix\apps\FIXLM.reg
C:\SDFix\SDFix\apps\FixPath.exe
C:\SDFix\SDFix\apps\FixRedir.reg
C:\SDFix\SDFix\apps\FixWebCheck.reg
C:\SDFix\SDFix\apps\fixXP.reg
C:\SDFix\SDFix\apps\FixXPsp2.reg
C:\SDFix\SDFix\apps\HPFix.reg
C:\SDFix\SDFix\apps\HPFix2.reg
C:\SDFix\SDFix\apps\HPFix3.reg
C:\SDFix\SDFix\apps\ISADMIN.EXE
C:\SDFix\SDFix\apps\leg2.txt
C:\SDFix\SDFix\apps\legacy.txt
C:\SDFix\SDFix\apps\legacybk.txt
C:\SDFix\SDFix\apps\locate.com
C:\SDFix\SDFix\apps\LS.exe
C:\SDFix\SDFix\apps\MD5File.exe
C:\SDFix\SDFix\apps\moveex.exe
C:\SDFix\SDFix\apps\MyGcpvFix.reg
C:\SDFix\SDFix\apps\MyGkFix2.reg
C:\SDFix\SDFix\apps\Process.exe
C:\SDFix\SDFix\apps\procs.exe
C:\SDFix\SDFix\apps\psservice.exe
C:\SDFix\SDFix\apps\RegDACL.exe
C:\SDFix\SDFix\apps\Rem.txt
C:\SDFix\SDFix\apps\Rem2.txt
C:\SDFix\SDFix\apps\Replace\W2K.exe
C:\SDFix\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\SDFix\apps\Replace\XP.exe
C:\SDFix\SDFix\apps\Replace\xp\null.sys
C:\SDFix\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\SDFix\apps\RestartIt!.exe
C:\SDFix\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\SDFix\apps\sc.exe
C:\SDFix\SDFix\apps\SF.exe
C:\SDFix\SDFix\apps\shutdown.exe
C:\SDFix\SDFix\apps\srv2.txt
C:\SDFix\SDFix\apps\svc.txt
C:\SDFix\SDFix\apps\svcbk.txt
C:\SDFix\SDFix\apps\swreg.exe
C:\SDFix\SDFix\apps\swsc.exe
C:\SDFix\SDFix\apps\unzip.exe
C:\SDFix\SDFix\apps\WINMSG.EXE
C:\SDFix\SDFix\apps\zip.exe
C:\SDFix\SDFix\backups\attrib.exe
C:\SDFix\SDFix\backups\backupreg.zip
C:\SDFix\SDFix\backups\backups.zip
C:\SDFix\SDFix\backups\find.exe
C:\SDFix\SDFix\backups\findstr.exe
C:\SDFix\SDFix\backups\HOSTS
C:\SDFix\SDFix\backups\regedit.exe
C:\SDFix\SDFix\catchme.exe
C:\SDFix\SDFix\dummy.sys
C:\SDFix\SDFix\Report.txt
C:\SDFix\SDFix\RunThis.bat
C:\SDFix\SDFix\SDFIX_ReadMe_Online.url
C:\SDFix\SDFix\SDreport.txt
C:\sysztoa.exe
C:\WINDOWS\system32\drvrum.dll
C:\WINDOWS\system32\drvrumr.dll
C:\WINDOWS\system32\okqipwgf
C:\WINDOWS\system32\okqipwgf\bg1.gif
C:\WINDOWS\system32\okqipwgf\bgtop.gif
C:\WINDOWS\system32\okqipwgf\bottom1.gif
C:\WINDOWS\system32\okqipwgf\essentials.gif
C:\WINDOWS\system32\okqipwgf\icon1.ico
C:\WINDOWS\system32\okqipwgf\install1.gif
C:\WINDOWS\system32\okqipwgf\left1.gif
C:\WINDOWS\system32\okqipwgf\li.gif
C:\WINDOWS\system32\okqipwgf\logo.gif
C:\WINDOWS\system32\okqipwgf\main.htm
C:\WINDOWS\system32\okqipwgf\mainframe.htm
C:\WINDOWS\system32\okqipwgf\reinstall1.gif
C:\WINDOWS\system32\okqipwgf\right1.gif
C:\WINDOWS\system32\okqipwgf\s1.htm
C:\WINDOWS\system32\okqipwgf\s2.htm
C:\WINDOWS\system32\okqipwgf\s3.htm
C:\WINDOWS\system32\okqipwgf\SMTop1.gif
C:\WINDOWS\system32\okqipwgf\SMTop2.gif
C:\WINDOWS\system32\okqipwgf\SMTop3.gif
C:\WINDOWS\system32\okqipwgf\SMTop4.gif
C:\WINDOWS\system32\okqipwgf\soft1_off.gif
C:\WINDOWS\system32\okqipwgf\soft1_off_ext.gif
C:\WINDOWS\system32\okqipwgf\soft1_on.gif
C:\WINDOWS\system32\okqipwgf\soft1_on_ext.gif
C:\WINDOWS\system32\okqipwgf\soft2_off.gif
C:\WINDOWS\system32\okqipwgf\soft2_off_ext.gif
C:\WINDOWS\system32\okqipwgf\soft2_on.gif
C:\WINDOWS\system32\okqipwgf\soft2_on_ext.gif
C:\WINDOWS\system32\okqipwgf\soft3_off.gif
C:\WINDOWS\system32\okqipwgf\soft3_off_ext.gif
C:\WINDOWS\system32\okqipwgf\soft3_on.gif
C:\WINDOWS\system32\okqipwgf\soft3_on_ext.gif
C:\WINDOWS\system32\okqipwgf\softbottom_off.gif
C:\WINDOWS\system32\okqipwgf\softbottom_on.gif
C:\WINDOWS\system32\okqipwgf\softleft_off.gif
C:\WINDOWS\system32\okqipwgf\softleft_on.gif
C:\WINDOWS\system32\okqipwgf\top1.gif
C:\WINDOWS\system32\okqipwgf\top2.gif
C:\WINDOWS\system32\okqipwgf\turnoff1.gif
C:\WINDOWS\system32\okqipwgf\turnon1.gif
C:\WINDOWS\system32\winmmt32.dll
C:\winxplogon.sys

.
((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-14 12:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-13 09:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 09:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-12 23:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-11 11:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-11 11:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 14:17 --------- d-------- C:\Program Files\QuickTime
2007-09-14 13:48 --------- d-------- C:\Program Files\palmOne
2007-09-14 13:46 --------- d-------- C:\Program Files\NavNT
2007-09-14 13:42 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-09-14 13:39 --------- d-------- C:\Program Files\iTunes
2007-09-14 13:37 --------- d-------- C:\Program Files\Google
2007-09-14 13:34 --------- d-------- C:\Program Files\Common Files\LightScribe
2007-09-10 01:32 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-28 14:37 --------- d-------- C:\Program Files\FTP Commander
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_110207.97 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 141,424 2006-08-24 13:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
----a-w 73,728 2006-08-02 17:39:06 C:\WINDOWS\system32\asuninst.exe
----a-w 11,776 2003-03-25 23:53:50 C:\WINDOWS\system32\ZPORT4AS.dll
----a-w 110,592 2007-03-29 14:20:50 C:\WINDOWS\system32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 21:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 19:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 16:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 18:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 23:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 23:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 20:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 18:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 15:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 18:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 23:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 21:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 19:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 19:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 18:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 18:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 16:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 16:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-18 13:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 19:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 15:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 15:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 21:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-17 14:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 15:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 19:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 19:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 18:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-18 13:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-18 13:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 22:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 19:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll
----a-w 9,488 1997-09-18 11:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 22:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
----atw 16,384 2007-09-15 14:00:12 C:\WINDOWS\Temp\Perflib_Perfdata_c8.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 12:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 04:52]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 17:11]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 16:01]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 15:54]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 17:56]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2005-11-15 19:44]
"RssReader"="C:\Program Files\RssReader\RssReader.exe" [2004-04-04 17:21]
"gStart"="C:\Garmin\gStart.exe" [2005-07-25 09:05]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-23 09:32:22]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]
MSSQL$PARAGON.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe [2002-12-17 17:23:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]

C:\DOCUME~1\BILLPA~1\STARTM~1\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2005-06-09 14:11:10]

C:\DOCUME~1\BPATTE~1\STARTM~1\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2005-06-09 14:11:10]

R2 MSSQL$PARAGON;MSSQL$PARAGON;C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Binn\sqlservr.exe -sPARAGON
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys
S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys
S3 L6PODLV;PODxt Live Service;C:\WINDOWS\system32\Drivers\L6PODLV.sys
S3 SQLAgent$PARAGON;SQLAgent$PARAGON;C:\Program Files\Microsoft SQL Server\MSSQL$PARAGON\Binn\sqlagent.EXE -i PARAGON

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43a14656-11d8-11db-b90b-00c09fc5d4ae}]
AutoRun\command- E:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2005-11-22 04:57:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 09:01:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?0?4?1??????? ???B?????????????hLC? ??????

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-15 9:05:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-15 09:04
C:\ComboFix2.txt ... 2007-09-13 11:04
.
--- E O F ---

Thread: Virtumonde...is driving me crazy

Thread Tools

Display

Virtumonde...is driving me crazy

Posting Permissions