Help, i think i got bad viruses!Smit-Fraud!

[Wizit]

Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter1.sextracker[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\DON\Cookies\don@sexlist[5].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter7.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter6.sextracker[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\DON\Cookies\don@statse.webtrendslive[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\DON\Cookies\don@bluestreak[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\DON\Cookies\don@as-us.falkag[3].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@sextracker[5].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\DON\Cookies\don@counter12.sextracker[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\DON\Cookies\don@adrevolver[5].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\DON\Cookies\don@linksynergy[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\DON\Cookies\don@ads.pointroll[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\DON\Cookies\don@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\DON\Cookies\don@overture[5].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\DON\Cookies\don@questionmarket[4].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\DON\Cookies\don@target[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\DON\Cookies\don@ads.addynamix[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\DON\Cookies\don@landing.domainsponsor[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\DON\Cookies\don@zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\DON\Cookies\don@casalemedia[6].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\DON\Cookies\don@burstnet[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\DON\Cookies\don@ad.yieldmanager[4].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\DON\Cookies\don@media.fastclick[4].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\DON\Cookies\don@trafficmp[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\DON\Cookies\don@searchportal.information[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@xxxcounter[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@ads.pointroll[1].txt
Spyware:Cookie/PrivacyGuard Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@yourprivacyguard[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@adultfriendfinder[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Spyware/ShopNav Not disinfected C:\Program Files\Srng\SrngUtil.exe
Spyware:Spyware/ShopNav Not disinfected C:\Program Files\Srng\SNHelper.dll
Virus:Trj/Downloader.RKS Disinfected C:\QooBox\Quarantine\C\WINNT\SYSTEM32\faxocmo.dll.vir
Adware:Adware/AVSystemCare Not disinfected C:\WINNT\SYSTEM32\FAXOCMO.1
Adware:Adware/Popuper Not disinfected C:\WINNT\SYSTEM32\IEPEERSJ.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\Nircmd.exe

[little eagle]

Download and run - ATF Cleaner instructions here.

-------------------------------------

Reboot in safe mode, instructions here.
Some of these files my have hidden atributes.
Click Here Should you need instructions for Showing hidden files and folders in Windows.
Once in safe mode, Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file right click then select delete.

Delete the following folder(s) listed in bold.

c:\program files\Srng

------------------------------

Reboot and run Panda's ActiveScan again.

[Wizit]

alright, heres the log from the panda scan, and its substancially smaller


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Cookies\administrator@doubleclick[1].txt
Spyware:Spyware/ShopNav Not disinfected C:\Recycled\Dc1\SrngUtil.exe
Spyware:Spyware/ShopNav Not disinfected C:\Recycled\Dc1\SNHelper.dll
Adware:Adware/AVSystemCare Not disinfected C:\WINNT\SYSTEM32\FAXOCMO.1
Adware:Adware/Popuper Not disinfected C:\WINNT\SYSTEM32\IEPEERSJ.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\Nircmd.exe

[little eagle]

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINNT\SYSTEM32\FAXOCMO.1
C:\WINNT\SYSTEM32\IEPEERSJ.DLL

Save this as Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log.

[Wizit]

The log results are here:

ComboFix 08-02-20.2 - Administrator 02/23/2008 11:52:41.3 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.66 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.Q-97FBMBPER9UG0\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\SYSTEM32\FAXOCMO.1
C:\WINNT\SYSTEM32\IEPEERSJ.DLL
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\SYSTEM32\FAXOCMO.1
C:\WINNT\SYSTEM32\IEPEERSJ.DLL

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 11:52 . 02/23/08 11:52a 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_224.dat
2008-02-22 16:18 . 02/22/08 04:18p 277,470 ---h----- C:\WINNT\ShellIconCache
2008-02-21 23:14 . 06/05/07 10:56a 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-02-21 22:32 . 02/21/08 10:32p <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-02-21 22:32 . 02/22/08 05:25p 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-02-21 22:32 . 02/22/08 05:25p 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-02-21 22:32 . 02/22/08 05:25p 1,406 --a------ C:\WINNT\system32\Help.ico
2008-02-15 02:10 . 02/15/08 02:10a 156 --a------ C:\WINNT\wininit.ini
2008-02-14 17:46 . 02/14/08 05:46p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 18:16 . 02/13/08 05:54p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-13 18:16 . 02/13/08 06:16p 3,466 --a------ C:\WINNT\unins000.dat
2008-02-07 22:14 . 02/07/08 10:14p <DIR> d-------- C:\WINNT\system32\Macromed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 22:35 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-12-11 22:34 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-12-11 22:34 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-12-11 22:34 129,784 ------w C:\WINNT\system32\pxafs.dll
2007-12-11 22:34 120,056 ------w C:\WINNT\system32\pxcpyi64.exe
2007-12-11 22:34 118,520 ------w C:\WINNT\system32\pxinsi64.exe
2007-12-11 22:34 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-12-11 22:33 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINNT\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINNT\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-12-11 22:32 156,992 ----a-w C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-12-11 22:32 12,288 ----a-w C:\WINNT\system32\DivXWMPExtType.dll
2007-08-11 19:41 271 ---h--w C:\Program Files\desktop.ini
2007-08-11 19:41 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 07:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 07:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 07:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 07:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 07:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 07:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [12/07/99 07:00a 186640]

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINNT\System32\drivers\cwbwdm.sys [11/01/99 10:10p]
R3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINNT\System32\DRIVERS\el575nd5.sys [10/19/99 02:50p]
R3 neo20xx;neo20xx;C:\WINNT\System32\DRIVERS\neo20xx.sys [10/18/99 02:39p]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 11:56:31
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/23/2008 11:58:42
ComboFix-quarantined-files.txt 2008-02-23 17:58:38
ComboFix2.txt 2008-02-20 22:01:10

[little eagle]

Download the OTMoveIt.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

That should do it.

[Wizit]

Um..... it says gmer is not found and it just stops. I still have some things on there. I still have OTMoveIt,ATF-Cleaner, and HiJackThis. It just says it cant find gmer. Is this a problem?

[little eagle]

Is this a problem?

No Keep ATF and use it one a week to clean out temp files. You can delete OTMoveIt if it's still there after rebooting. Hijackthis you can keep, hope we don't need it later

[Wizit]

Thankyou Thankyou Thankyou!!!!!!!!!!!!!!!!!!!!!
Your are the MAN! Thankyou again. You are the best! No virus can out smart you lol. I wont forget your kindness.

[Wizit]

Theres just one more thing I would like to ask you. To make sure your effort doesnt go to waste, give me tips on some programs i should use to keep my computer safe for malware