Need help removing Trojan, virtumonde and others spywares

[shri999]

Hi,

I am infected with Virtumonde and other trojans/spyware. I followed the instructions from the 'Before you Post' topic by Tashi.

a) Here are is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:40 AM, on 11/8/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\plite731.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy1\SpybotSD.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\ShriHJT\shrihjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINNT\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINNT\system32\qomjihi.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINNT\system32\wsxniafu.dll
O2 - BHO: (no name) - {91CE8604-3588-4510-8A3F-6ADCD712CD8A} - C:\WINNT\system32\sstts.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [plite731] C:\WINNT\plite731.exe
O4 - HKLM\..\Run: [2c8b48c8] rundll32.exe "C:\WINNT\system32\gkpueaee.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.andhrajyothy.com/wfplayer/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O20 - Winlogon Notify: qomjihi - C:\WINNT\SYSTEM32\qomjihi.dll
O22 - SharedTaskScheduler: compunctiously - {dec5caa7-8045-495c-8034-35aff489fedf} - C:\WINNT\system32\ecxwp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

--
End of file - 5732 bytes


I ran Kaspersky online Scan, and I can post the log below (or upon request too). Just for the record, I also ran SpyBot S & D too.

Thanks in advance.

Regards
Shri

[Markka]

Hi and welcome to the forums.
I'm Markka and I will be helping you with your malware issues.

I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by
teachers of Malware Removal University.
Please be patient.

[shri999]

Thanks for offering help.
Looking forward for your solution.

Regards
Srhi

[Markka]

Hello

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!

Post a fresh HijackThis log & contents of C:\ComboFix.txt

[shri999]

Here is the combofix log.

ComboFix 07-11-08.1 - Administrator 11/10/2007 9:11:56.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.106 [GMT -5:00]
Running from: C:\Documents and Settings\administrator\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\SoftPortal
C:\Program Files\SoftPortal\Soft\ATGE\ui.uim
C:\Program Files\SoftPortal\Soft\EAV\ui.uim
C:\Program Files\SoftPortal\Soft\XBS\info.txt
C:\Program Files\SoftPortal\Soft\XBS\ui.uim
C:\Program Files\SoftPortal\Soft\XBS\XBS.exe
C:\Program Files\SoftPortal\Soft\XBS\XBS.part001.rar
C:\Program Files\SoftPortal\Soft\XBS\XBS.part002.rar
C:\WINNT\764.exe
C:\WINNT\aconti.exe
C:\WINNT\adbar.dll
C:\WINNT\cbinst$.exe
C:\WINNT\cookies.ini
C:\WINNT\daxtime.dll
C:\WINNT\dp0.dll
C:\WINNT\eventlowg.dll
C:\WINNT\fhfmm-Uninstaller.exe
C:\WINNT\fhfmm.exe
C:\WINNT\flt.dll
C:\WINNT\hotporn.exe
C:\WINNT\ie_32.exe
C:\WINNT\jd2002.dll
C:\WINNT\kkcomp$.exe
C:\WINNT\kkcomp.exe
C:\WINNT\liqad$.exe
C:\WINNT\liqad.exe
C:\WINNT\liqui-Uninstaller.exe
C:\WINNT\liqui.exe
C:\WINNT\ngd.dll
C:\WINNT\spredirect.dll
C:\WINNT\system32\drivers\4_stars.gif
C:\WINNT\system32\drivers\5_stars.gif
C:\WINNT\system32\drivers\alert_icon.gif
C:\WINNT\system32\drivers\arrow.gif
C:\WINNT\system32\drivers\buy_btn.gif
C:\WINNT\system32\drivers\close_icon.gif
C:\WINNT\system32\drivers\detect.htm
C:\WINNT\system32\drivers\download_btn.gif
C:\WINNT\system32\drivers\features.gif
C:\WINNT\system32\drivers\header_bg.gif
C:\WINNT\system32\drivers\icon_warning.gif
C:\WINNT\system32\drivers\logo_bg.gif
C:\WINNT\system32\drivers\perfect_cleaner_box.jpg
C:\WINNT\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINNT\system32\drivers\perfect_cleaner_header.gif
C:\WINNT\system32\drivers\perfect_cleaner_header_small.gif
C:\WINNT\system32\drivers\protect.gif
C:\WINNT\system32\drivers\pt.htm
C:\WINNT\system32\drivers\s_detect.htm
C:\WINNT\system32\drivers\secuity_center_logo.gif
C:\WINNT\system32\drivers\spy_away_box.jpg
C:\WINNT\system32\drivers\spy_away_box_small.jpg
C:\WINNT\system32\drivers\spy_away_header.gif
C:\WINNT\system32\drivers\spy_away_header_small.gif
C:\WINNT\system32\drivers\users_rating.gif
C:\WINNT\system32\drivers\v.gif
C:\WINNT\system32\drivers\x.gif
C:\WINNT\system32\ESHOPEE.exe
C:\WINNT\system32\gtv_sd.bin
C:\WINNT\system32\lelyoyci.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\pac.txt
C:\WINNT\system32\qbhbqtrt.exe
C:\WINNT\system32\qvibuxli.exe
C:\WINNT\system32\rffbmvbt.exe
C:\WINNT\system32\SoUI.dll
C:\WINNT\system32\sstts.dll
C:\WINNT\system32\sttss.bak1
C:\WINNT\system32\sttss.bak2
C:\WINNT\system32\sttss.ini
C:\WINNT\system32\wml.exe
C:\WINNT\system32\wsapcrml.exe
C:\WINNT\system32\wsxniafu.dll
C:\WINNT\system32\ybrgqyqk.exe
C:\WINNT\vxddsk.exe
C:\WINNT\winh32.exe
C:\WINNT\xadbrk.exe
C:\WINNT\xadbrk_.exe
C:\WINNT\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-10 09:10 81,472 --a------ C:\WINNT\system32\nknjogdi.dll
2007-11-10 09:09 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-09 02:58 88,128 --a------ C:\WINNT\system32\ybsfymtf.dll
2007-11-09 02:58 71,232 --a------ C:\WINNT\system32\yjgwawit.exe
2007-11-09 02:56 71,232 --a------ C:\WINNT\system32\sgeqsoln.exe
2007-11-07 07:10 71,232 --a------ C:\WINNT\system32\oyhgsmjk.exe
2007-11-06 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 02:25 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-11-06 02:25 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Kaspersky Lab
2007-11-04 16:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy1
2007-11-03 09:49 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2007-11-02 01:03 436 --ah----- C:\aaw7boot.cmd
2007-11-01 23:30 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft
2007-11-01 23:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-01 23:23 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-01 23:13 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2007-11-01 23:13 4 --a------ C:\WINNT\system32\stfv.bin
2007-10-30 21:59 <DIR> d-------- C:\WINNT\system32\acespy
2007-10-30 21:31 131,588 --a------ C:\WINNT\system32\qiawpbjj.exe
2007-10-30 21:31 21,504 --a------ C:\WINNT\system32\qiawpbjj.dll
2007-10-30 21:30 552,960 --a------ C:\WINNT\system32\GE.dll
2007-10-30 21:30 76,800 --a------ C:\WINNT\system32\unrar.dll
2007-10-30 21:01 61,002 --a------ C:\syslvbb.exe
2007-10-30 21:01 61,002 --a------ C:\ie_updater.exe
2007-10-30 20:56 3,638 --a------ C:\wndyvqe.exe
2007-10-30 20:45 61,003 --a------ C:\syspthy.exe
2007-10-30 20:45 61,002 --a------ C:\Documents and Settings\administrator\ie_update3r.exe
2007-10-30 20:42 1,577 --a------ C:\wndzyoz.exe
2007-10-30 03:49 <DIR> d-------- C:\WINNT\system32\Mz02r
2007-10-30 03:49 294,668 --a------ C:\WINNT\frexup2.exe
2007-10-30 03:49 34,816 --------- C:\WINNT\system32\qomjihi.dll
2007-10-30 03:49 13,824 --a------ C:\WINNT\plite731.exe
2007-10-30 03:49 41 --a------ C:\WINNT\plite731_uninstaller_.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-12 23:39 41,984 ----a-w C:\WINNT\ca.exe
2006-03-28 23:26 271 ---h--w C:\Program Files\desktop.ini
2006-03-28 23:26 21,952 ---h--w C:\Program Files\folder.htt
2004-01-04 00:20 208,928 ----a-w C:\Program Files\user.pca
2004-01-04 00:12 1,392,672 ----a-w C:\Program Files\system.pca
1999-12-07 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
07-10-30 21:31 21504 --a------ C:\WINNT\system32\qiawpbjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28e4c799-4390-49ba-a82a-2426c45157d4}]
07-11-10 09:10 81472 --a------ C:\WINNT\system32\nknjogdi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
07-10-30 03:49 34816 --------- C:\WINNT\system32\qomjihi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [99-12-07 12:00 C:\WINNT\system32\mobsync.exe]
"TI WLAN"="C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe" [04-12-09 15:49 ]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06-03-16 11:34 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 10:50 ]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-07-15 21:43 ]
"plite731"="C:\WINNT\plite731.exe" [07-10-30 03:49 ]
"2c8b48c8"="C:\WINNT\system32\ybsfymtf.dll" [07-11-09 02:58 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-14 01:10 ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe" [07-08-31 16:46 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-01-03 20:55:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2003-03-30 00:29:48]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{dec5caa7-8045-495c-8034-35aff489fedf}"= C:\WINNT\system32\ecxwp.dll [06-03-28 17:05 12800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINNT\system32\qomjihi.dll [07-10-30 03:49 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjihi]
qomjihi.dll 07-10-30 03:49 34816 C:\WINNT\system32\qomjihi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\sstts.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R3 TNET1130;802.11 WLAN;C:\WINNT\system32\DRIVERS\TNET1130.sys
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys
S2 VRDVC20;Sony VRD-VC20 [Video Capture];C:\WINNT\system32\Drivers\VRDVC20X.SYS

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 09:21:24
Windows 5.0.2195 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 9:22:55 - machine was rebooted
.
--- E O F ---
Thanks
Shri

[shri999]

Hi Markka,

Thaks for your response. Here is the fresh HT Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:00 AM, on 11/10/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\plite731.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\ShriHJT\shrihjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINNT\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {4d75154c-6242-a28a-ab94-0934997c4e82} - {28e4c799-4390-49ba-a82a-2426c45157d4} - C:\WINNT\system32\nknjogdi.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {7DC438A6-E952-4990-BFA1-E1183B15CCDB} - C:\WINNT\system32\cbaab.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINNT\system32\qomjihi.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [plite731] C:\WINNT\plite731.exe
O4 - HKLM\..\Run: [2c8b48c8] rundll32.exe "C:\WINNT\system32\ybsfymtf.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.andhrajyothy.com/wfplayer/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O20 - Winlogon Notify: qomjihi - C:\WINNT\SYSTEM32\qomjihi.dll
O22 - SharedTaskScheduler: compunctiously - {dec5caa7-8045-495c-8034-35aff489fedf} - C:\WINNT\system32\ecxwp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

--
End of file - 5656 bytes


Thanks
Shri

[Markka]

Hello

Disable Teatimer:

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
_____________________

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system32\qiawpbjj.dll
C:\WINNT\system32\nknjogdi.dll
C:\WINNT\system32\cbaab.dll
C:\WINNT\system32\qomjihi.dll
C:\WINNT\system32\ybsfymtf.dll
C:\WINNT\system32\ecxwp.dll
C:\WINNT\system32\nknjogdi.dll
C:\WINNT\system32\ybsfymtf.dll
C:\WINNT\system32\yjgwawit.exe
C:\WINNT\system32\sgeqsoln.exe
C:\WINNT\system32\oyhgsmjk.exe
C:\WINNT\system32\qiawpbjj.exe
C:\WINNT\system32\qiawpbjj.dll
C:\WINNT\system32\GE.dll
C:\syslvbb.exe
C:\ie_updater.exe
C:\wndyvqe.exe
C:\syspthy.exe
C:\Documents and Settings\administrator\ie_update3r.exe
C:\wndzyoz.exe
C:\WINNT\system32\Mz02r
C:\WINNT\frexup2.exe
C:\WINNT\system32\qomjihi.dll
C:\WINNT\plite731_uninstaller_.bat

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
_________________

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.

O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINNT\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: {4d75154c-6242-a28a-ab94-0934997c4e82} - {28e4c799-4390-49ba-a82a-2426c45157d4} - C:\WINNT\system32\nknjogdi.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {7DC438A6-E952-4990-BFA1-E1183B15CCDB} - C:\WINNT\system32\cbaab.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINNT\system32\qomjihi.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [plite731] C:\WINNT\plite731.exe
O4 - HKLM\..\Run: [2c8b48c8] rundll32.exe "C:\WINNT\system32\ybsfymtf.dll",b
O20 - Winlogon Notify: qomjihi - C:\WINNT\SYSTEM32\qomjihi.dll
O22 - SharedTaskScheduler: compunctiously - {dec5caa7-8045-495c-8034-35aff489fedf} - C:\WINNT\system32\ecxwp.dll
__________

Post:
- A fresh HijackThis log
- Contents of C:\ComboFix.txt

[shri999]

Hi Markka,

Thanks for your reply. I followed all the steps exactly as mentioned in your post. Here is a fresh HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:09 PM, on 11/11/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\ShriHJT\shrihjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.andhrajyothy.com/wfplayer/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

--
End of file - 3863 bytes
_______________________________________________________

Here is the ComboFix log.
_____________________

ComboFix 07-11-08.1 - Administrator 11/11/2007 14:16:21.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.133 [GMT -5:00]
Running from: C:\Documents and Settings\administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\administrator\Desktop\CFScript.txt

FILE
C:\Documents and Settings\administrator\ie_update3r.exe
C:\ie_updater.exe
C:\syslvbb.exe
C:\syspthy.exe
C:\WINNT\frexup2.exe
C:\WINNT\plite731_uninstaller_.bat
C:\WINNT\system32\cbaab.dll
C:\WINNT\system32\ecxwp.dll
C:\WINNT\system32\GE.dll
C:\WINNT\system32\Mz02r
C:\WINNT\system32\nknjogdi.dll
C:\WINNT\system32\oyhgsmjk.exe
C:\WINNT\system32\qiawpbjj.dll
C:\WINNT\system32\qiawpbjj.exe
C:\WINNT\system32\qomjihi.dll
C:\WINNT\system32\sgeqsoln.exe
C:\WINNT\system32\ybsfymtf.dll
C:\WINNT\system32\yjgwawit.exe
C:\wndyvqe.exe
C:\wndzyoz.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\administrator\ie_update3r.exe
C:\ie_updater.exe
C:\syslvbb.exe
C:\syspthy.exe
C:\WINNT\frexup2.exe
C:\WINNT\plite731_uninstaller_.bat
C:\WINNT\system32\baabc.bak1
C:\WINNT\system32\baabc.ini
C:\WINNT\system32\cbaab.dll
C:\WINNT\system32\ecxwp.dll
C:\WINNT\system32\GE.dll
C:\WINNT\system32\nknjogdi.dll
C:\WINNT\system32\oyhgsmjk.exe
C:\WINNT\system32\qiawpbjj.dll
C:\WINNT\system32\qiawpbjj.exe
C:\WINNT\system32\qomjihi.dll
C:\WINNT\system32\sgeqsoln.exe
C:\WINNT\system32\ybsfymtf.dll
C:\WINNT\system32\yjgwawit.exe
C:\wndyvqe.exe
C:\wndzyoz.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 14:24 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_400.dat
2007-11-10 09:09 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-06 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 02:25 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-11-06 02:25 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Kaspersky Lab
2007-11-04 16:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy1
2007-11-03 09:49 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2007-11-02 01:03 436 --ah----- C:\aaw7boot.cmd
2007-11-01 23:30 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Lavasoft
2007-11-01 23:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-01 23:23 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-01 23:13 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2007-11-01 23:13 4 --a------ C:\WINNT\system32\stfv.bin
2007-10-30 21:59 <DIR> d-------- C:\WINNT\system32\acespy
2007-10-30 21:30 76,800 --a------ C:\WINNT\system32\unrar.dll
2007-10-30 03:49 <DIR> d-------- C:\WINNT\system32\Mz02r
2007-10-30 03:49 13,824 --a------ C:\WINNT\plite731.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-12 23:39 41,984 ----a-w C:\WINNT\ca.exe
2006-03-28 23:26 271 ---h--w C:\Program Files\desktop.ini
2006-03-28 23:26 21,952 ---h--w C:\Program Files\folder.htt
2004-01-04 00:20 208,928 ----a-w C:\Program Files\user.pca
2004-01-04 00:12 1,392,672 ----a-w C:\Program Files\system.pca
1999-12-07 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Sat 2007-11-10_ 9.21.48.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 15:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [99-12-07 12:00 C:\WINNT\system32\mobsync.exe]
"TI WLAN"="C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe" [04-12-09 15:49 ]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06-03-16 11:34 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 10:50 ]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-07-15 21:43 ]
"plite731"="C:\WINNT\plite731.exe" [07-10-30 03:49 ]
"2c8b48c8"="C:\WINNT\system32\ybsfymtf.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-14 01:10 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-01-03 20:55:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2003-03-30 00:29:48]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{dec5caa7-8045-495c-8034-35aff489fedf}"= C:\WINNT\system32\ecxwp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjihi]
qomjihi.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R3 TNET1130;802.11 WLAN;C:\WINNT\system32\DRIVERS\TNET1130.sys
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys
S2 VRDVC20;Sony VRD-VC20 [Video Capture];C:\WINNT\system32\Drivers\VRDVC20X.SYS

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 14:24:40
Windows 5.0.2195 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 14:25:53 - machine was rebooted
C:\ComboFix2.txt ... 07-11-10 09:22
.
--- E O F ---

Thanks
Shri

[Markka]

Hello

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
____________________

Please download ATF-cleaner and save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  If you use Firefox browser:
  
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  If you use Opera browser:
  
• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
• Click Exit on the Main menu to close the program.

________________________

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

____________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  
  • Under How to act?
    
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    
    • All checkboxes should be ticked.
  • Under Reports:
    
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
_________________

Post a fresh HijackThis log & AVG Anti-Spyware's report.

[shri999]

Hi Markka,

Here is fresh HT Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:15 PM, on 11/12/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Trend Micro\ShriHJT\shrihjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.andhrajyothy.com/wfplayer/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

--
End of file - 4093 bytes
____________________________________________________________

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:20:38 PM 11/12/2007

+ Scan result:

C:\WINNT\system32\Mz02r\Mz02r1065.exe -> Downloader.VB.bkw : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINNT\system32\qiawpbjj.dll.vir -> Downloader.VB.bpr : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINNT\system32\qiawpbjj.exe.vir -> Downloader.VB.bpr : Cleaned with backup (quarantined).
C:\Temp\svcipa.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\Documents and Settings\administrator\ie_update3r.exe.vir -> Trojan.Delf.aio : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\ie_updater.exe.vir -> Trojan.Delf.aio : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\syslvbb.exe.vir -> Trojan.Delf.aio : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\syspthy.exe.vir -> Trojan.Delf.aio : Cleaned with backup (quarantined).
C:\WINNT\ca.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINNT\winh32.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).


::Report end
_______________
Thanks
Shri