virtumonde, smitfraud, and possibly others

**Shaba** · 2007-11-06, 17:08

Hi

Please then try to boot in safe mode, log on as admin and perform this:

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\uyektftg.dll
C:\WINDOWS\system32\thhkocro.dll
C:\WINDOWS\system32\ppvxhwke.dll
C:\WINDOWS\system32\guuhofvm.dll
C:\WINDOWS\system32\jrqegnke.dll
C:\WINDOWS\system32\kwafrpiu.dll
C:\WINDOWS\system32\gkicdwoj.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\iiffcax.dll
C:\WINDOWS\system32\ixmwvfhm.dll
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu1000106.exe

Folder::
C:\WINDOWS\system32\Mz08r
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\QW5nZWxpY2E
C:\Temp\mZOr

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B565656-A605-4A3D-A1AF-0468359CBBEB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2EAA49F2-162F-4041-B133-4B2B1838C5B7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AB9A6C-DE12-4E09-B47F-B5E1568D7F2B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD837A08-A2A6-4908-9EB2-A0E5B8022172}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0CA35C1-7F53-4862-8083-4C8EA9FC0291}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffcax]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihfe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{3D-D7-78-80-ZN}"=-
"2083d72f"="-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**rajivdog** · 2007-11-07, 05:15

ComboFix 07-11-07.3 - Angelica 2007-11-06 23:05:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.223 [GMT -5:00]
Running from: C:\Documents and Settings\Angelica\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Angelica\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\gkicdwoj.dll
C:\WINDOWS\system32\guuhofvm.dll
C:\WINDOWS\system32\iiffcax.dll
C:\WINDOWS\system32\ixmwvfhm.dll
C:\WINDOWS\system32\jrqegnke.dll
C:\WINDOWS\system32\kwafrpiu.dll
C:\WINDOWS\system32\ppvxhwke.dll
C:\WINDOWS\system32\thhkocro.dll
C:\WINDOWS\system32\uyektftg.dll
C:\WINDOWS\system32\vvgeowbv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Angelica\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Angelica\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Angelica\Favorites\Online Security Guide.lnk
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\QW5nZWxpY2E\kqcBtqUDsZH.vbs
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\gkicdwoj.dll
C:\WINDOWS\system32\guuhofvm.dll
C:\WINDOWS\system32\iiffcax.dll
C:\WINDOWS\system32\ixmwvfhm.dll
C:\WINDOWS\system32\jrqegnke.dll
C:\WINDOWS\system32\kqsajadw.dllbox
C:\WINDOWS\system32\kwafrpiu.dll
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\Mz08r\Mz08r1099.exe
C:\WINDOWS\system32\ppvxhwke.dll
C:\WINDOWS\system32\thhkocro.dll
C:\WINDOWS\system32\uyektftg.dll
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.ini
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Angelica\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Angelica\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Angelica\Favorites\Online Security Guide.lnk
C:\Temp\mZOr
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\QW5nZWxpY2E
C:\WINDOWS\QW5nZWxpY2E\kqcBtqUDsZH.vbs
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\gkicdwoj.dll
C:\WINDOWS\system32\guuhofvm.dll
C:\WINDOWS\system32\ixmwvfhm.dll
C:\WINDOWS\system32\jrqegnke.dll
C:\WINDOWS\system32\kqsajadw.dllbox
C:\WINDOWS\system32\kwafrpiu.dll
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\Mz08r
C:\WINDOWS\system32\Mz08r\Mz08r1099.exe
C:\WINDOWS\system32\ppvxhwke.dll
C:\WINDOWS\system32\thhkocro.dll
C:\WINDOWS\system32\uyektftg.dll
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-06 21:54 145,984 --a------ C:\WINDOWS\system32\wgoidfet.dll
2007-11-06 21:51 71,232 --a------ C:\WINDOWS\system32\dqbsrakv.exe
2007-11-06 08:45 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 08:41 <DIR> d-------- C:\VundoFix Backups
2007-11-03 16:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 14:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-03 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-01 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-01 00:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2007-10-31 21:58 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-31 21:58 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-31 21:58 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-31 21:58 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-31 21:57 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-31 21:57 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-31 21:57 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-31 21:57 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-31 21:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-31 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 21:43 35,840 --a------ C:\WINDOWS\17PHolmes572.exe
2007-10-31 21:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 21:36 <DIR> d-------- C:\Temp
2007-10-10 05:35 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-31 23:47 --------- d-----w C:\Program Files\Skype
2007-10-31 23:47 --------- d-----w C:\Documents and Settings\Angelica\Application Data\Skype
2007-09-13 22:16 --------- d-----w C:\Program Files\Joost
2007-09-13 22:16 --------- d-----w C:\Documents and Settings\Angelica\Application Data\Joost
2007-01-10 02:55:02 88 --sh--r C:\WINDOWS\system32\4A1DA6616D.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_ 9.02.44.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-06 13:43:15 54,682 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 04:03:48 54,682 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-06 13:43:15 385,164 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 04:03:48 385,164 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-06 14:00:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat
+ 2007-11-07 04:08:28 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_61c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 04:56]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 15:08]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 23:19 C:\WINDOWS\stsystra.exe]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 10:40]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 03:08]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 19:56]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 14:24]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"2083d72f"="C:\WINDOWS\system32\oimdaucs.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-16 00:27:20]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 01:14:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 23:09:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 23:10:08 - machine was rebooted
.
--- E O F ---

**rajivdog** · 2007-11-07, 05:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:40 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\rajivdog.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [2083d72f] rundll32.exe "C:\WINDOWS\system32\oimdaucs.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6701 bytes

**rajivdog** · 2007-11-07, 05:27

Hi,

I also thought to run vundofix while in safe mode and it cleaned and removed one file. I did this before the last combofix run that you see above. Here's the report.

VundoFix V6.5.11

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 22:49:36 2007-11-06

Listing files found while scanning....

C:\WINDOWS\system32\kqsajadw.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\kqsajadw.dll
C:\WINDOWS\system32\kqsajadw.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\kqsajadw.dll
C:\WINDOWS\system32\kqsajadw.dll Has been deleted!

Performing Repairs to the registry.
Done!

**Shaba** · 2007-11-07, 10:22

Hi

Open HijackThis, click do a system scan only and checkmark this:

O4 - HKLM\..\Run: [2083d72f] rundll32.exe "C:\WINDOWS\system32\oimdaucs.dll",b

Close all windows including browser and press fix checked.

Reboot.

Delete these:

C:\WINDOWS\system32\wgoidfet.dll
C:\WINDOWS\system32\dqbsrakv.exe

Empty Recycle Bin

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

**rajivdog** · 2007-11-08, 06:24

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 08, 2007 12:20:23 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/11/2007
Kaspersky Anti-Virus database records: 453814
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 44689
Number of viruses found: 22
Number of infected objects: 58
Number of suspicious objects: 2
Duration of the scan process: 00:45:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Angelica\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\cert8.db Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\history.dat Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\key3.db Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\parent.lock Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Angelica\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Angelica\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\Application Data\Mozilla\Firefox\Profiles\wyuoc4yw.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\History\History.IE5\MSHist012007110720071108\index.dat Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\temp\hpotdd001.log Object is locked skipped
C:\Documents and Settings\Angelica\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Angelica\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Angelica\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Windows NT\zysonaju.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\qoobox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\qoobox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\.exe.vir Infected: Trojan-Dropper.Win32.VB.tg skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\aivskurq.dll.vir Infected: Trojan-Downloader.Win32.VB.bpt skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\e2\caws83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\e2\caws83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\guuhofvm.dll.vir Infected: Trojan.Win32.BHO.rg skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ixmwvfhm.dll.vir Infected: Trojan.Win32.BHO.rd skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jhclxll.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jrqegnke.dll.vir Infected: Trojan.Win32.BHO.rf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kwafrpiu.dll.vir Infected: Trojan.Win32.BHO.re skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\Mz02r\Mz02r1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\Mz08r\Mz08r1099.exe.vir Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ppvxhwke.dll.vir Infected: Trojan.Win32.BHO.rg skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\psmymtir.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\thhkocro.dll.vir Infected: Trojan.Win32.BHO.rf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vvgeowbv.exe.vir Infected: not-virus:Hoax.Win32.Renos.kj skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\x22\wr31drs.exe.vir Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0072345.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0072367.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0072656.sys Infected: Rootkit.Win32.Agent.mb skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0072657.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0072658.exe Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0072725.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0072726.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0072728.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0072729.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0072844.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0072850.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073089.exe Infected: Trojan-Dropper.Win32.VB.tg skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073090.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073091.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073092.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073096.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073096.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073098.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073100.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0073100.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073230.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073231.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073232.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073233.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073234.dll Infected: Trojan-Downloader.Win32.VB.bpt skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073236.dll Infected: Trojan.Win32.BHO.rg skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073237.dll Infected: Trojan.Win32.BHO.rd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073238.dll Infected: Trojan.Win32.BHO.rf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073239.dll Infected: Trojan.Win32.BHO.re skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073240.dll Infected: Trojan.Win32.BHO.rg skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073241.dll Infected: Trojan.Win32.BHO.rf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073243.exe Infected: not-virus:Hoax.Win32.Renos.kj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362\change.log Object is locked skipped
C:\WINDOWS\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_628.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**rajivdog** · 2007-11-08, 06:25

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:11 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\rajivdog.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6601 bytes

**Shaba** · 2007-11-08, 10:20

Hi

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\qoobox\Quarantine\

Delete these:

C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\mrofinu572.exe.tmp

Empty Recycle Bin

Still problems?

**rajivdog** · 2007-11-14, 07:30

I followed the instructions as you had previously posted. The only problem was that I was unable to delete the entry:
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe

No CONFLICT.1 folder could be found, even when i entered that heading manually. Here is another HJT log.

Sorry it took me so long to reply with this. I have been out of town.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:47 AM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\rajivdog.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6706 bytes

**Shaba** · 2007-11-14, 10:22

Hi

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

And try again, please.

Now success with C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe ?

Thread: virtumonde, smitfraud, and possibly others

Thread Tools

Display

New Combofix log

New HJT

vundofix as well

new Kaspersky

New HJT

No Problems so far

Posting Permissions