very infected

**katsadge** · 2008-02-16, 18:52

Hi,

I've got a bad infection of adware. I've run Super Anti-Spyware and Spybot and Norton Anti-Virus and nothing gets rid of everything. Right now, when I open My Computer, the icon next to my C drive (which was always the standard light-gray icon) has spontaneously changed to a big red X, like the delete mark. It's like my hard drive is slated for deletion and I'm afraid to turn off my computer. Anyway, I ran a Kaspersky scan and HiJack this and I'll paste the results below.

Saturday, February 16, 2008 12:15:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/02/2008
Kaspersky Anti-Virus database records: 569028

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 77548
Number of viruses found 7
Number of infected objects 24
Number of suspicious objects 0
Duration of the scan process 00:52:34

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Support.com\profiles\kat\triggers.log Object is locked skipped

C:\Documents and Settings\kat\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\kat\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped

C:\Documents and Settings\kat\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped

C:\Documents and Settings\kat\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped

C:\Documents and Settings\kat\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\kat\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\kat\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\kat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\kat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\kat\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\kat\Local Settings\History\History.IE5\MSHist012008021620080217\index.dat Object is locked skipped

C:\Documents and Settings\kat\Local Settings\Temp\~DFE12A.tmp Object is locked skipped

C:\Documents and Settings\kat\Local Settings\Temp\~DFE135.tmp Object is locked skipped

C:\Documents and Settings\kat\Local Settings\Temporary Internet Files\Content.IE5\2X4UO355\setup_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.dq skipped

C:\Documents and Settings\kat\Local Settings\Temporary Internet Files\Content.IE5\5O5LYBIN\inform_proxy[1].htm Object is locked skipped

C:\Documents and Settings\kat\Local Settings\Temporary Internet Files\Content.IE5\5O5LYBIN\inform_proxy[3].htm Object is locked skipped

C:\Documents and Settings\kat\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\kat\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\kat\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Juniper Networks\Common Files\NCService.log Object is locked skipped

C:\Program Files\WebMediaPlayer\uninst.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.NaviPromo.bi skipped

C:\Program Files\WebMediaPlayer\uninst.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.bi skipped

C:\Program Files\WebMediaPlayer\uninst.exe NSIS: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP605\A0036093.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP606\A0041166.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP607\A0045288.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP611\A0051646.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP613\A0055767.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP615\A0059143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0059290.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0059291.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0059292.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP616\A0061297.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP617\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{0C1D9841-486A-40BF-9FA1-15CBD9FD485B}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\bwlkvmpk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\cxjqiiyr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\ddgpvsmv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped

C:\WINDOWS\system32\drivers\termddd.sys Object is locked skipped

C:\WINDOWS\system32\dtpxeyur.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\ijsfpndt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\jeb3\tewdrives22.exe Infected: Trojan-Downloader.Win32.Small.hwg skipped

C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped

C:\WINDOWS\system32\qnflmcnr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\ukixgowh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:25 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sun-angel.com/abraham/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190296860125
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7736 bytes

I sure hope somebody can help me.....

**pskelley** · 2008-02-17, 12:57

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Good morning, I will do my best to help if you do your best to follow the instructions I post.

1) See This: http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< BADLY out of date and llikely why you are infected, download the newest version and uninstall all old versions in Add Remove programs.

2) You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

3) SUPERAntiSpyware <<< turn this program off so it does not interfere with out tools. Do you own this program?

4) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

5) Tutorial if needed:
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

**katsadge** · 2008-02-18, 15:33

Thank you so much for replying--it sounds like this is going to work! I'm still freaked out, though, about the big, red X that is now right next to my hard drive when I look at My Computer. Do you know what this means? I feel afraid that shutting down is going to delete my hard drive. Sounds crazy, I know, but it appeared from nowhere and replaced the usual hard drive icon. What do you think is going on?

**pskelley** · 2008-02-18, 15:41

Hard to tell which infection placed the X, you have several. My advice is to read and follow the directions carefully and in the posted order.

Here is a little information about one of the infections:
http://www.networkworld.com/news/200...-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks...q=winfixer+msn

Thanks

**katsadge** · 2008-02-20, 02:56

Okay, I think I've run everything that you reccommended. To answer your question about Super AntiSpyware, I do not own it but downloaded the free version. Bad choice? Also, my hard drive did not delete when I shut down my computer (as I'd feared) but the X is still the icon for Local Disk. Strange.

Already, things seem to be running better. I'll post my logs below.

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:05:16 PM 2/19/2008

Listing files found while scanning....

C:\WINDOWS\system32\bwlkvmpk.dll
C:\WINDOWS\system32\cxjqiiyr.dll
C:\windows\system32\ddgpvsmv.dllbox
C:\WINDOWS\system32\dtpxeyur.dll
C:\windows\system32\emuwgkid.dllbox
C:\windows\system32\ggghiffo.dllbox
C:\WINDOWS\system32\ijsfpndt.dll
C:\windows\system32\jhgfowpl.dllbox
C:\windows\system32\nrxkqgue.dllbox
C:\windows\system32\pthvwygq.dllbox
C:\WINDOWS\system32\qnflmcnr.dll
C:\windows\system32\uhuucsht.dllbox
C:\WINDOWS\system32\ukixgowh.dll
C:\windows\system32\vwtecqae.dllbox
C:\windows\system32\ygckqswm.dllbox

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bwlkvmpk.dll
C:\WINDOWS\system32\bwlkvmpk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cxjqiiyr.dll
C:\WINDOWS\system32\cxjqiiyr.dll Has been deleted!

Attempting to delete C:\windows\system32\ddgpvsmv.dllbox
C:\windows\system32\ddgpvsmv.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\dtpxeyur.dll
C:\WINDOWS\system32\dtpxeyur.dll Has been deleted!

Attempting to delete C:\windows\system32\emuwgkid.dllbox
C:\windows\system32\emuwgkid.dllbox Has been deleted!

Attempting to delete C:\windows\system32\ggghiffo.dllbox
C:\windows\system32\ggghiffo.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijsfpndt.dll
C:\WINDOWS\system32\ijsfpndt.dll Has been deleted!

Attempting to delete C:\windows\system32\jhgfowpl.dllbox
C:\windows\system32\jhgfowpl.dllbox Has been deleted!

Attempting to delete C:\windows\system32\nrxkqgue.dllbox
C:\windows\system32\nrxkqgue.dllbox Has been deleted!

Attempting to delete C:\windows\system32\pthvwygq.dllbox
C:\windows\system32\pthvwygq.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\qnflmcnr.dll
C:\WINDOWS\system32\qnflmcnr.dll Has been deleted!

Attempting to delete C:\windows\system32\uhuucsht.dllbox
C:\windows\system32\uhuucsht.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\ukixgowh.dll
C:\WINDOWS\system32\ukixgowh.dll Has been deleted!

Attempting to delete C:\windows\system32\vwtecqae.dllbox
C:\windows\system32\vwtecqae.dllbox Has been deleted!

Attempting to delete C:\windows\system32\ygckqswm.dllbox
C:\windows\system32\ygckqswm.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

ComboFix 08-02-20.2 - kat 2008-02-19 20:37:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.208 [GMT -5:00]
Running from: C:\Documents and Settings\kat\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

!!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\termddd.sys
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\kat\Application Data\MANTEC~1
C:\Documents and Settings\kat\err.log
C:\Documents and Settings\kat\My Documents\RACLE~1
C:\Documents and Settings\kat\Start Menu\Programs\WebMediaPlayer
C:\Documents and Settings\kat\Start Menu\Programs\WebMediaPlayer\WebMediaPlayer.lnk
C:\Documents and Settings\kat\Start Menu\Programs\WebMediaPlayer\Website.lnk
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\??crosoft\
C:\Program Files\Temporary
C:\Program Files\webmediaplayer
C:\Program Files\webmediaplayer\resources\languages.xml
C:\Program Files\webmediaplayer\resources\webmedias
C:\Program Files\webmediaplayer\skins\classic.skn
C:\Program Files\webmediaplayer\sqlite3.dll
C:\Program Files\webmediaplayer\uninst.exe
C:\Program Files\webmediaplayer\WebMediaPlayer.url
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pack.epk
C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\acbeg.ini2
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\termddd.sys
C:\WINDOWS\system32\dwkwljax.ini
C:\WINDOWS\system32\ehxpfrap.ini
C:\WINDOWS\system32\gwrjmgvm.dat
C:\WINDOWS\system32\gwrjmgvm_navps.dat
C:\WINDOWS\system32\gykihovd.ini
C:\WINDOWS\system32\hahdsnxd.ini
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\ipqsqgma.ini
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pxxuiouu.ini
C:\WINDOWS\system32\quhjsjka.ini
C:\WINDOWS\system32\saomsvsw.ini
C:\WINDOWS\system32\sncbrqhb.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\vnkfhson.ini
C:\WINDOWS\system32\vojgpslw.ini
C:\WINDOWS\system32\xyadd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_TERMDDD
-------\termddd

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 19:05 . 2008-02-19 19:05 <DIR> d-------- C:\VundoFix Backups
2008-02-19 18:13 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-19 18:12 . 2008-02-19 18:12 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-14 09:46 . 2008-02-14 09:46 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-12 13:57 . 2008-02-12 13:57 <DIR> d-------- C:\Documents and Settings\All

Users\Application Data\Grisoft
2008-02-12 13:25 . 2008-02-12 13:25 <DIR> d-------- C:\Program Files\CCleaner
2008-02-12 09:27 . 2008-02-13 09:11 1,331,721 ---hs----

C:\WINDOWS\system32\ewtempfg.ini
2008-02-09 14:46 . 2008-02-09 14:46 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-02-09 12:56 . 2008-02-09 12:56 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-02-09 07:59 . 2008-02-09 07:59 163,904 --a------ C:\WINDOWS\system32\ddgpvsmv.dll.vir
2008-02-09 07:55 . 2008-02-09 20:34 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-08 09:36 . 2008-02-09 12:51 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-02-08 09:24 . 2008-02-08 09:24 <DIR> d--------

C:\WINDOWS\3A4FFB84D0704DA5AB7BD41D87FD8D19.TMP
2008-02-05 19:12 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-05 19:12 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-05 19:12 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-05 19:07 . 2008-02-05 19:07 <DIR> d-------- C:\Documents and Settings\All

Users\Application Data\Kaspersky Lab
2008-02-01 14:14 . 2008-02-01 14:14 <DIR> d-------- C:\Program Files\Scholastic
2008-01-31 08:39 . 2008-02-01 08:54 1,957,685 ---hs----

C:\WINDOWS\system32\jpfshxjx.ini
2008-01-29 21:43 . 2008-01-29 21:43 <DIR> d-------- C:\Temp\gTiis19
2008-01-29 21:42 . 2008-01-29 21:42 <DIR> d-------- C:\WINDOWS\system32\wts1
2008-01-29 21:42 . 2008-01-30 11:28 <DIR> d-------- C:\WINDOWS\system32\vip4
2008-01-29 21:42 . 2008-01-30 09:49 <DIR> d-------- C:\WINDOWS\system32\knis6
2008-01-29 21:42 . 2008-01-29 21:42 <DIR> d-------- C:\WINDOWS\system32\jeb3
2008-01-29 21:42 . 2008-01-29 21:42 <DIR> d-------- C:\Temp\cXzz9
2008-01-25 16:11 . 2008-01-25 16:11 <DIR> d-------- C:\Documents and Settings\All

Users\Application Data\Dell
2008-01-24 18:56 . 2008-01-24 18:56 <DIR> d-------- C:\Program Files\Veoh Networks
2008-01-21 11:07 . 2008-01-21 11:07 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-21 11:05 . 2008-01-21 11:06 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 01:35 --------- d-----w C:\Program Files\Dl_cats
2008-02-19 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot -

Search & Destroy
2008-02-19 23:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-19 23:15 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-19 23:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 23:15 --------- d-----w C:\Documents and Settings\kat\Application

Data\SUPERAntiSpyware.com
2008-02-19 23:13 --------- d-----w C:\Program Files\Java
2008-02-19 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google

Updater
2008-02-12 18:59 --------- d-----w C:\Program Files\ComcastToolbar
2008-02-09 18:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-09 12:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-24 14:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 14:01 --------- d-----w C:\Program Files\EA Games
2008-01-20 14:02 --------- d--h--w C:\Documents and Settings\kat\Application Data\Move Networks
2008-01-17 13:38 --------- d-----w C:\Program Files\iTunes
2008-01-17 13:38 --------- d-----w C:\Program Files\iPod
2008-01-17 13:36 --------- d-----w C:\Program Files\QuickTime
2008-01-08 18:07 --------- d-----w C:\Documents and Settings\kat\Application Data\Juniper

Networks
2007-12-22 13:58 --------- d-----w C:\Documents and Settings\kat\Application Data\Apple Computer
2007-12-22 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

Computer
2007-12-22 13:56 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-22 13:56 --------- d-----w C:\Program Files\Apple Software Update
2007-12-22 13:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2006-11-12 14:43 56 --sh--r C:\WINDOWS\system32\81F1C1BEF1.sys
2006-11-12 14:43 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 18:34

68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43

2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10

11:44 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 09:58 1773568]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 07:39

69632]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 08:45 430080]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 06:05

282624]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 14:53 88024]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 09:23

185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-15 20:23:38

124912]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-03-31 12:53:55

118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=" "

R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys

[2006-11-30 01:25]
S3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 09:19]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-08 17:58:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-01 11:33:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 20:41:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-19 20:42:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 01:42:51
.
2008-02-14 00:50:02 --- E O F ---

Oops, too many characters to post all in one reply. HiJack This log to follow in next post.

**katsadge** · 2008-02-20, 02:57

Here is the final log. Whoever you might be, I am deeply appreciative of all your work on this!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:28 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.sun-angel.com/abraham/index.php
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event

Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program

Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media

Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe

/server /startmonitor /deaf
O4 - HKLM\..\Run: [DLCDCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLL

Entry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer

944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO

Printer 944\memcard.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware

2007\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe"

/startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google

Updater\GoogleUpdater.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program

Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: ComcastHSI -

{669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/

(file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan

Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView

Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl

Class) -

http://www.update.microsoft.com/micr...en/x86/client/

muweb_site.cab?1190296860125
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control)

- http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools

WebPlayer Class) -

http://a532.g.akamai.net/f/532/6712/...mai.com/6712/p

layer/install/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB -

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcd_device - Unknown owner -

C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program

Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper

Networks - C:\Program Files\Juniper Networks\Common

Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -

C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7083 bytes

**pskelley** · 2008-02-20, 13:40

Okay, I think I've run everything that you reccommended. To answer your question about Super AntiSpyware, I do not own it but downloaded the free version. Bad choice?

No...SAS is a good program and we use the trial a lot. I would just like to see the log you got from it if it is still available, want you to know it does use resources so you will want to uninstall it after the trail unless you purchase the program. It is going to slow you some until that point.

It is important that the directions here: http://forums.spybot.info/showthread.php?t=288 which is why I posted it and asked you to read it.

Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines. It is preferable, and the log easier to read, if you do not use the [code] or [php] options.

Post a new HJT log after you turn off formatting in notepad, this slows both of us.

Thanks

**katsadge** · 2008-02-20, 14:29

Sorry about that. I did read the instructions and thought that I had unchecked Word Wrap but I guess I actually did the opposite. I'm obviously no techie, not even close.....

I uninstalled the Super AntiSpyware before I started everything because I didn't want it to interfere with the process.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:31 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sun-angel.com/abraham/index.php
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190296860125
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8048 bytes

**pskelley** · 2008-02-20, 14:50

Thanks for the new HJT log, let's see what we have left, no problem with SAS.

I see this in your first Kaspersky scan:
C:\Program Files\WebMediaPlayer\uninst.exe/stream ------> AdWare.Win32.NaviPromo.bi skipped
That is often an indication of a hidden rootkit. The HJT log is clean and from all appearances, combofix and Vundofix did their job. We will run a tool to look for the hidden rootkit, but before we remove combofix I want you to have the opportunity to install Recovery Console if you wish.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/comb...o-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.

To look for NaviPromo.bi do this:

Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.

If you install RC, post the .txt file that opens for me also.

Thanks...Phil

**pskelley** · 2008-02-26, 13:46

No response since: 2008-02-20, 08:29

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

Thread: very infected

Thread Tools

Display

very infected

what about deletion

logs

hijack this log

new hjt log

Posting Permissions