I Cannot Remove Smitfraud

[mcguiret]

I've tried for a while to get rid of this thing. I've tried all the spyware tools and also general instructions such as running SmitfraudFix.exe but to no avail. Here are my HJT and KAV logs. Let me thank you in advance for your help.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 22, 2008 7:14:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/02/2008
Kaspersky Anti-Virus database records: 576071
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 52364
Number of viruses found: 6
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 00:43:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\tmcguire\~Running.ping Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\SMSCliToknLocalAcct&\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SMSCliToknLocalAcct&\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\svcSMS\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\svcSMS\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-402ffcaf.zip ZIP: infected - 1 skipped
C:\Documents and Settings\tmcguire\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\tmcguire\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\tmcguire\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\tmcguire\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\tmcguire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Temp\Perflib_Perfdata_b0c.dat Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Temp\~DFC702.tmp Object is locked skipped
C:\Documents and Settings\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tmcguire\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\tmcguire\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Remote Services\WENGINE\dbgtrace.log Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080222.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-47a712ef.zip ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\TEMP\oldprofile\tmcguire\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b44b06f-4de34aa1.zip ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp/mobjchku.exe Infected: not-a-virus:AdWare.Win32.BHO.xv skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temp\nsr1A.tmp ZIP: infected - 1 skipped
C:\TEMP\oldprofile\tmcguire\Local Settings\Temporary Internet Files\Content.IE5\6LAT0HKZ\wavvsnet[1].exe Infected: Trojan-Downloader.Win32.Small.hcu skipped
C:\VNCTEMP\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\tosdvdd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_bf0.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\TIMET Laptop\Spyware\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\TIMET Laptop\Spyware\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\TIMET Laptop\Spyware\SmitfraudFix.exe RarSFX: infected - 2 skipped
F:\TIMET Laptop\Spyware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:45 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\program files\cisco systems\vpn client\cvpnd.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\TEMP\QO5A87.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Adobe\Distillr\AcroDist.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\msupdtck.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.timet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TIMET usnpx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://denprx1.timet.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.timet.com;10.*.*.*;192.168.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [o2klang] c:\windows\langver.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" "/0015c51fa28d" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [internat] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [mssdbsrv] C:\WINDOWS\system32\msupdtck.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\RunOnce: [RunOnce] c:\windows\oem\runonce.bat (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-725345543-44281\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\cisco systems\vpn client\vpngui.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://den2khri1:100/codebase/svinstall_a_stat.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1) - http://den2khri1:100/codebase/j2re-1_3_1-win.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.timet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.timet.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\program files\cisco systems\vpn client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10542 bytes

[katana]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

----------------------------------------------------------------------------------------


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
c:\windows\langver.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\system32\msupdtck.exe

If Virustotal is too busy please try Jotti


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


Installed Programs

Please could you give me a list of the programs that are installed.

• Start HijackThis
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

[mcguiret]

File langver.exe received on 02.25.2008 02:35:03 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 7.
Estimated start time is between 57 and 81 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.24 -
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.24 -
BitDefender 7.2 2008.02.25 -
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.24 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5557 2008.02.23 -
Ewido 4.0 2008.02.24 -
FileAdvisor 1 2008.02.25 -
Fortinet 3.14.0.0 2008.02.24 -
F-Prot 4.4.2.54 2008.02.24 -
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 -
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.24 -
NOD32v2 2898 2008.02.23 -
Norman 5.80.02 2008.02.22 -
Panda 9.0.0.4 2008.02.25 -
Prevx1 V2 2008.02.25 -
Rising 20.32.62.00 2008.02.24 -
Sophos 4.26.0 2008.02.24 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.25 -
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.24 -
Additional information
File size: 163435 bytes
MD5: be7dfdade13e3f2c8578940235a6b8fe
SHA1: b0daa40beb4e6fd63620379d62e638ab3edee5b4
PEiD: Armadillo v1.71

File msupdtck.exe received on 02.25.2008 02:41:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 10/32 (31.25%)
Loading server information...
Your file is queued in position: 8.
Estimated start time is between 60 and 86 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.24 TR/PSW.Stealer.125440.2
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.24 SHeur.AIKB
BitDefender 7.2 2008.02.25 DeepScan:Generic.PWStealer.C3D3F502
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.24 -
eSafe 7.0.15.0 2008.02.21 suspicious Trojan/Worm
eTrust-Vet 31.3.5557 2008.02.23 -
Ewido 4.0 2008.02.24 -
FileAdvisor 1 2008.02.25 High threat detected
Fortinet 3.14.0.0 2008.02.24 -
F-Prot 4.4.2.54 2008.02.24 -
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 Generic.PWStealer
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.24 -
NOD32v2 2898 2008.02.23 -
Norman 5.80.02 2008.02.22 -
Panda 9.0.0.4 2008.02.25 Suspicious file
Prevx1 V2 2008.02.25 Generic.Malware
Rising 20.32.62.00 2008.02.24 -
Sophos 4.26.0 2008.02.24 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.25 Trojan Horse
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.24 Trojan.PSW.Stealer.125440.2
Additional information
File size: 125440 bytes
MD5: a00571b001104378f43f85dc6d0dc21d
SHA1: 65638b05c08fe7b441cda9862fd0fd96c0141bdd
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
Bit9 info: http://fileadvisor.bit9.com/services...3f85dc6d0dc21d
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.com/aboutprogramte...2B8000BB85052A

[mcguiret]

ComboFix 08-02-25.2 - TMcGuire 2008-02-24 20:54:08.1 - NTFSx86

Running from: C:\Documents and Settings\tmcguire\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tosdvdd.sys
C:\windows\system32\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_TOSDVDD
-------\tosdvdd


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-22 18:20 . 2008-02-22 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 17:34 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-22 17:34 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-22 17:34 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-22 17:34 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-22 17:34 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-22 17:34 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-22 17:34 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-22 15:16 . 2008-02-22 15:16 40,960 --a------ C:\WINDOWS\system32\rfhdfhw.exe
2008-02-22 15:16 . 2008-02-22 15:16 40,960 --a------ C:\WINDOWS\frtghef.exe
2008-02-22 00:31 . 2008-02-22 00:31 125,440 --a------ C:\WINDOWS\system32\msupdtck.exe
2008-02-22 00:31 . 2008-02-22 00:31 6,144 --a------ C:\Documents and Settings\tmcguire\Application Data\msvcrit.dll
2008-02-22 00:30 . 2008-02-22 02:03 13,312 --a------ C:\Documents and Settings\tmcguire\p4ck.exe
2008-02-22 00:30 . 2008-02-24 20:58 6,144 --a------ C:\WINDOWS\system32\msvcrit.dll
2008-02-21 23:50 . 2008-02-21 23:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-21 14:23 . 2008-02-21 14:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 14:16 . 2008-02-22 17:26 165 --a------ C:\WINDOWS\wininit.ini
2008-02-20 17:20 . 2008-02-22 16:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-20 17:19 . 2008-02-20 17:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 08:15 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-15 15:44 . 2008-02-15 15:44 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\PC Tools
2008-02-15 15:05 . 2008-02-14 21:24 610 --a------ C:\WINDOWS\wininit.sd
2008-02-15 15:05 . 2006-10-25 02:51 573 --a------ C:\WINDOWS\win.tmp
2008-02-15 15:05 . 2008-01-16 06:15 231 --a------ C:\WINDOWS\system.tmp
2008-02-15 14:46 . 2008-02-19 08:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-15 14:46 . 2008-02-24 20:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 14:46 . 2008-02-15 14:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-02-15 14:46 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-02-15 14:46 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-02-15 14:31 . 2008-02-15 14:42 <DIR> d-------- C:\TEMP\smitRem
2008-02-15 14:14 . 2008-02-15 14:14 <DIR> d-------- C:\Program Files\SwiftView
2008-02-15 14:13 . 2008-02-15 14:14 <DIR> d-------- C:\JavaSoft
2008-02-15 14:09 . 2003-02-23 02:05 60,448 --a------ C:\WINDOWS\system32\smsrc.cpl
2008-02-15 14:08 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\WINDOWS
2008-02-15 14:08 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\SapWorkDir
2008-02-15 14:08 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Intel
2008-02-15 14:08 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Citrix
2008-02-15 14:08 . 2003-02-23 02:05 38,944 --a------ C:\WINDOWS\system32\SMSCPL32.cpl
2008-02-15 14:07 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\WINDOWS
2008-02-15 14:07 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\SapWorkDir
2008-02-15 14:07 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Intel
2008-02-15 14:07 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Citrix
2008-02-15 14:07 . 2003-02-23 02:05 16,560 --a------ C:\WINDOWS\ISMIF16.dll
2008-02-15 14:07 . 2003-02-23 02:05 12,128 --a------ C:\WINDOWS\ISMIF32.dll
2008-02-15 14:05 . 2003-02-23 02:05 65,584 --a------ C:\WINDOWS\system32\SMSCfg.cpl
2008-02-15 13:58 . 2008-02-15 14:08 <DIR> d-------- C:\VNCTEMP
2008-02-14 10:00 . 2004-11-18 16:12 1,129,472 --a------ C:\WINDOWS\system32\msxml3.tmp
2008-02-14 10:00 . 2004-11-18 16:12 44,032 --a------ C:\WINDOWS\system32\msxml3r.tmp
2008-02-14 10:00 . 2004-11-18 16:12 24,576 --a------ C:\WINDOWS\system32\msxml3a.tmp
2008-02-14 09:02 . 2008-02-14 09:02 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\Stamps.com Internet Postage
2008-02-14 09:00 . 2008-02-14 09:02 36 --ah----- C:\WINDOWS\system32\f9t.dat
2008-02-08 15:25 . 2008-02-08 15:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 16:37 . 2008-02-22 17:34 3,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-07 15:29 . 2008-02-08 14:58 40,960 --a------ C:\WINDOWS\system32\hjjtgyg.exe
2008-02-07 15:29 . 2008-02-08 14:58 40,960 --a------ C:\WINDOWS\jfgurhjgfy.exe
2008-02-07 15:29 . 2008-02-22 15:15 20,480 --a------ C:\WINDOWS\quit.exe
2008-02-07 09:32 . 2008-02-20 17:20 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\SUPERAntiSpyware.com
2008-02-07 09:32 . 2008-02-07 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 12:36 . 2008-02-21 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\rp4
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\ps5
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\cz6
2008-02-06 10:58 . 2008-02-06 11:07 <DIR> d-------- C:\WINDOWS\system32\bm1
2008-02-06 10:52 . 2008-02-06 10:52 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 10:18 . 2008-01-28 10:18 7,303 --a------ C:\WINDOWS\saplogonold.ini
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Program Files\Common Files\ArchestrA
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArchestrA
2008-01-25 09:28 . 2008-02-14 10:00 <DIR> d-------- C:\WINDOWS\system32\VPCache
2008-01-25 09:28 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\svcSMS\WINDOWS
2008-01-25 09:28 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\svcSMS\SapWorkDir
2008-01-25 09:28 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\svcSMS\Application Data\Intel
2008-01-25 09:28 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\svcSMS\Application Data\Citrix
2008-01-25 09:27 . 2003-02-23 02:05 10,176 --a------ C:\WINDOWS\system32\idisw2km.dll
2008-01-25 09:27 . 2003-02-23 02:05 7,744 --a------ C:\WINDOWS\system32\drivers\kbstuff5.sys
2008-01-25 09:27 . 2003-02-23 02:05 2,704 --a------ C:\WINDOWS\system32\drivers\idisw2km.sys
2008-01-25 09:25 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\WINDOWS
2008-01-25 09:25 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\SapWorkDir
2008-01-25 09:25 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\Application Data\Intel
2008-01-25 09:25 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\Application Data\Citrix
2008-01-25 09:24 . 2008-01-25 09:24 <DIR> d-------- C:\WINDOWS\system32\smsmsgs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 00:19 --------- d-----w C:\Program Files\Trend Micro
2008-02-23 00:18 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\U3
2008-01-31 22:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-17 16:52 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-01-17 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2008-01-17 16:51 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\eFax Messenger
2008-01-17 14:20 --------- d-----w C:\Program Files\Srs
2008-01-17 14:20 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-17 14:20 --------- d-----w C:\Program Files\Borland
2008-01-17 14:19 --------- d-----w C:\Program Files\JavaSoft
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\SAP Shared
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\ESRI
2008-01-17 13:12 --------- d-----w C:\Program Files\SAP
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\eFax Messenger
2008-01-16 22:16 --------- d-----w C:\Program Files\TechSmith
2008-01-16 21:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 21:44 --------- d-----w C:\Program Files\Wave Systems Corp
2006-12-29 20:15 626,688 ----a-w C:\Program Files\Common Files\sapconsaccess.dll
2006-12-29 20:15 40,960 ----a-w C:\Program Files\Common Files\DigitalSignature.ocx
2006-12-29 20:15 3,100,672 ----a-w C:\Program Files\Common Files\sapxlhelper.dll
2006-12-29 20:15 192,512 ----a-w C:\Program Files\Common Files\sapconsr3.dll
2006-12-07 15:26 1,129,984 ----a-w C:\Program Files\Common Files\SAPActiveXL.xlt
2006-12-07 15:26 1,124,864 ----a-w C:\Program Files\Common Files\SAPActiveXL_nosig.xlt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"internat"="internat.exe" []
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"mssdbsrv"="C:\WINDOWS\system32\msupdtck.exe" [2008-02-22 00:31 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"o2klang"="c:\windows\langver.exe" [2003-01-28 11:38 163435]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 07:00 143360]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 03:08 1347584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 02:04 53248]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 13:33 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 08:58 1032192]
"Trend OfficeScan ImageSetup"="C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" [ ]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 19:55 335872]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 11:30 282624 C:\WINDOWS\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 17:38 28160 C:\WINDOWS\KHALMNPR.Exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SMS Application Launcher"="C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE" [2003-02-23 02:05 73584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2008-01-31 17:08:49 25214]
Cisco Systems VPN Client.lnk - C:\Program Files\cisco systems\vpn client\vpngui.exe [2006-10-25 12:27:25 1445904]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2004-10-12 20:33:08 213264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=c:\winnt\system32\setadmin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\0\0]
"Script"=folder_redirect.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\1\0]
"Script"=us.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 20:58:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Citrix\ICA Client\pnsson.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\msvcrit.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\program files\cisco systems\vpn client\cvpnd.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\TEMP\BKE51F.EXE
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Distillr\AcroDist.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
.
**************************************************************************
.
Completion time: 2008-02-24 21:01:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 02:00:55

[mcguiret]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04, on 2008-02-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\program files\cisco systems\vpn client\cvpnd.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\TEMP\BKE51F.EXE
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\msupdtck.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\frtghef.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.timet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://denprx1.timet.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.timet.com;10.*.*.*;192.168.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [o2klang] c:\windows\langver.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" "/0015c51fa28d" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [internat] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [mssdbsrv] C:\WINDOWS\system32\msupdtck.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\RunOnce: [RunOnce] c:\windows\oem\runonce.bat (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-725345543-44281\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\cisco systems\vpn client\vpngui.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://den2khri1:100/codebase/svinstall_a_stat.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1) - http://den2khri1:100/codebase/j2re-1_3_1-win.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.timet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.timet.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\program files\cisco systems\vpn client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10250 bytes

[mcguiret]

Access Manager
ActiveFactory Shared Components
Adobe Acrobat 7.0 Standard
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
ADP Enterprise Tools
ALPS Touch Pad Driver
Autolink
Conexant HDA D110 MDC V.92 Modem
Dell ResourceCD
Dell Wireless WLAN Card
eFax Messenger 4.3
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Java 2 Runtime Environment, SE v1.4.2_06
JavaSoft
Kaspersky Online Scanner
MetaFrame Presentation Server Client
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office 2000 SR-1 MultiLanguage Pack Disc 1
Microsoft Office 2000 SR-1 Standard
Microsoft Office Outlook 2003
Microsoft redistributable runtime DLLs VS2005 SP1(x86)
Microsoft redistributable runtime DLLs VS2005(x86)
OZ776 SCR CardBus Windows Driver
PowerDVD 5.1
QuickSet
Rapid Pay Data Entry
Reportsmith 3.10
SAP GUI 7.10
SigmaTel Audio
SnagIt 5
Spybot - Search & Destroy
Spyware Doctor 4.0
SUPERAntiSpyware Free Edition
Trend Micro OfficeScan Client
VPN Client
Windows Installer 3.1 (KB893803)

[katana]

I'm afraid I have unpleasant news for you. You have evidence of a Very Dangerous infection on this machine.
It is a Password Stealer

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine,

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

• Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
• Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
• If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
  Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
• Take any other steps you think appropriate for an attempted identity theft.

I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection :(




Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\system32\msvcrit.dll
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
c:\winnt\system32\setadmin.exe

If Virustotal is too busy please try Jotti

SD Fix

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  Code:

  FileLook::
  c:\winnt\system32\setadmin.exe
  DirLook::
  C:\WINDOWS\system32\rp4
  C:\WINDOWS\system32\ps5
  C:\WINDOWS\system32\cz6
  C:\WINDOWS\system32\bm1
  
  File::
  C:\WINDOWS\system32\rfhdfhw.exe
  C:\WINDOWS\frtghef.exe
  C:\WINDOWS\system32\msupdtck.exe
  C:\Documents and Settings\tmcguire\p4ck.exe
  C:\WINDOWS\system32\hjjtgyg.exe
  C:\WINDOWS\jfgurhjgfy.exe
  C:\WINDOWS\quit.exe
  Registry::
  [[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "internat"=-
  "mssdbsrv"=-

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


Please post all the logs in reply

[mcguiret]

File msvcrit.dll received on 02.25.2008 15:09:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 5/32 (15.63%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 50 and 72 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.25 -
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.25 -
BitDefender 7.2 2008.02.25 Trojan.PWS.Agent.RZO@m
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.25 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5562 2008.02.25 -
Ewido 4.0 2008.02.25 -
FileAdvisor 1 2008.02.25 -
Fortinet 3.14.0.0 2008.02.25 -
F-Prot 4.4.2.54 2008.02.24 -
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 -
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.25 -
NOD32v2 2899 2008.02.25 -
Norman 5.80.02 2008.02.25 -
Panda 9.0.0.4 2008.02.25 Suspicious file
Prevx1 V2 2008.02.25 Generic.Malware
Rising 20.33.02.00 2008.02.25 -
Sophos 4.26.0 2008.02.25 -
Sunbelt 3.0.893.0 2008.02.23 Trojan-PWS.Agent.RZO@m
Symantec 10 2008.02.25 Hacktool.Rootkit
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.25 -
Additional information
File size: 6144 bytes
MD5: d189eb6ea54de20e620c2b91b191dcd2
SHA1: 0dd05848a270caec09270b1b037723898e92c520
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramte...DE33004F4D99A2

File SETADMIN.EXE received on 02.25.2008 15:33:35 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 54 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.25 -
Authentium 4.93.8 2008.02.24 -
Avast 4.7.1098.0 2008.02.24 -
AVG 7.5.0.516 2008.02.25 -
BitDefender 7.2 2008.02.25 -
CAT-QuickHeal 9.50 2008.02.22 -
ClamAV 0.92.1 2008.02.25 -
DrWeb 4.44.0.09170 2008.02.25 -
eSafe 7.0.15.0 2008.02.21 -
eTrust-Vet 31.3.5562 2008.02.25 -
Ewido 4.0 2008.02.25 -
FileAdvisor 1 2008.02.25 -
Fortinet 3.14.0.0 2008.02.25 -
F-Prot 4.4.2.54 2008.02.24 -
F-Secure 6.70.13260.0 2008.02.25 -
Ikarus T3.1.1.20 2008.02.25 -
Kaspersky 7.0.0.125 2008.02.25 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.25 -
NOD32v2 2899 2008.02.25 -
Norman 5.80.02 2008.02.25 -
Panda 9.0.0.4 2008.02.25 -
Prevx1 V2 2008.02.25 -
Rising 20.33.02.00 2008.02.25 -
Sophos 4.26.0 2008.02.25 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.25 -
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.24 -
Webwasher-Gateway 6.6.2 2008.02.25 -
Additional information
File size: 28672 bytes
MD5: 32fddbfb5d653a4085a952d2e28a4d47
SHA1: d4e20bb5ee39e252e03ce4c65eb9e3ae1d085bd9
PEiD: -

[mcguiret]

SDFix: Version 1.146

Run by tmcguire on 02/25/2008 at 05:03 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

<<END OF SDFix Report.txt>> that's all that was in the report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:38 PM, on 02/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\program files\cisco systems\vpn client\cvpnd.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\TEMP\ZK4403.EXE
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\WINDOWS\system32\msupdtck.exe
C:\Program Files\Adobe\Distillr\AcroDist.exe
C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.timet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TIMET usnpx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://denprx1.timet.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.timet.com;10.*.*.*;192.168.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [o2klang] c:\windows\langver.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" "/0015c51fa28d" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [internat] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [mssdbsrv] C:\WINDOWS\system32\msupdtck.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-4114052182-4178402666-876730070-1011\..\RunOnce: [RunOnce] c:\windows\oem\runonce.bat (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-725345543-44281\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\cisco systems\vpn client\vpngui.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://den2khri1:100/codebase/svinstall_a_stat.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1) - http://den2khri1:100/codebase/j2re-1_3_1-win.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.timet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.timet.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.timet.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\program files\cisco systems\vpn client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10663 bytes

[mcguiret]

ComboFix 08-02-25.2 - tmcguire 2008-02-25 17:15:01.2 - NTFSx86

Running from: C:\Documents and Settings\tmcguire\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tmcguire\Desktop\CFScript.txt

FILE ::
C:\Documents and Settings\tmcguire\p4ck.exe
C:\WINDOWS\frtghef.exe
C:\WINDOWS\jfgurhjgfy.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\hjjtgyg.exe
C:\WINDOWS\system32\msupdtck.exe
C:\WINDOWS\system32\rfhdfhw.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\tmcguire\p4ck.exe
C:\WINDOWS\frtghef.exe
C:\WINDOWS\jfgurhjgfy.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\hjjtgyg.exe
C:\WINDOWS\system32\msupdtck.exe
C:\WINDOWS\system32\rfhdfhw.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 17:01 . 2008-02-25 17:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-25 13:35 . 2008-02-25 13:35 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-02-25 12:10 . 2008-02-25 17:04 <DIR> d-------- C:\SDFix
2008-02-22 18:20 . 2008-02-22 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 17:34 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-22 17:34 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-22 17:34 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-22 17:34 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-22 17:34 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-22 17:34 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-22 17:34 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-22 00:31 . 2008-02-22 00:31 6,144 --a------ C:\Documents and Settings\tmcguire\Application Data\msvcrit.dll
2008-02-22 00:30 . 2008-02-25 17:06 6,144 --a------ C:\WINDOWS\system32\msvcrit.dll
2008-02-21 23:50 . 2008-02-21 23:50 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-21 14:23 . 2008-02-21 14:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 14:16 . 2008-02-22 17:26 165 --a------ C:\WINDOWS\wininit.ini
2008-02-20 17:20 . 2008-02-22 16:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-20 17:19 . 2008-02-20 17:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 08:15 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-15 15:44 . 2008-02-15 15:44 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\PC Tools
2008-02-15 15:05 . 2008-02-14 21:24 610 --a------ C:\WINDOWS\wininit.sd
2008-02-15 15:05 . 2006-10-25 02:51 573 --a------ C:\WINDOWS\win.tmp
2008-02-15 15:05 . 2008-02-24 20:58 227 --a------ C:\WINDOWS\system.tmp
2008-02-15 14:46 . 2008-02-19 08:26 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-15 14:46 . 2008-02-25 17:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 14:46 . 2008-02-15 14:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-02-15 14:46 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-02-15 14:46 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-02-15 14:31 . 2008-02-15 14:42 <DIR> d-------- C:\TEMP\smitRem
2008-02-15 14:14 . 2008-02-15 14:14 <DIR> d-------- C:\Program Files\SwiftView
2008-02-15 14:13 . 2008-02-15 14:14 <DIR> d-------- C:\JavaSoft
2008-02-15 14:09 . 2003-02-23 02:05 60,448 --a------ C:\WINDOWS\system32\smsrc.cpl
2008-02-15 14:08 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\WINDOWS
2008-02-15 14:08 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\SapWorkDir
2008-02-15 14:08 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Intel
2008-02-15 14:08 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliToknLocalAcct&\Application Data\Citrix
2008-02-15 14:08 . 2003-02-23 02:05 38,944 --a------ C:\WINDOWS\system32\SMSCPL32.cpl
2008-02-15 14:07 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\WINDOWS
2008-02-15 14:07 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\SapWorkDir
2008-02-15 14:07 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Intel
2008-02-15 14:07 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&.EXT2501049D620\Application Data\Citrix
2008-02-15 14:07 . 2003-02-23 02:05 16,560 --a------ C:\WINDOWS\ISMIF16.dll
2008-02-15 14:07 . 2003-02-23 02:05 12,128 --a------ C:\WINDOWS\ISMIF32.dll
2008-02-15 14:05 . 2003-02-23 02:05 65,584 --a------ C:\WINDOWS\system32\SMSCfg.cpl
2008-02-15 13:58 . 2008-02-15 14:08 <DIR> d-------- C:\VNCTEMP
2008-02-14 10:00 . 2004-11-18 16:12 1,129,472 --a------ C:\WINDOWS\system32\msxml3.tmp
2008-02-14 10:00 . 2004-11-18 16:12 44,032 --a------ C:\WINDOWS\system32\msxml3r.tmp
2008-02-14 10:00 . 2004-11-18 16:12 24,576 --a------ C:\WINDOWS\system32\msxml3a.tmp
2008-02-14 09:02 . 2008-02-14 09:02 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\Stamps.com Internet Postage
2008-02-14 09:00 . 2008-02-14 09:02 36 --ah----- C:\WINDOWS\system32\f9t.dat
2008-02-08 15:25 . 2008-02-08 15:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 16:37 . 2008-02-22 17:34 3,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-07 09:32 . 2008-02-20 17:20 <DIR> d-------- C:\Documents and Settings\tmcguire\Application Data\SUPERAntiSpyware.com
2008-02-07 09:32 . 2008-02-07 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-06 12:36 . 2008-02-21 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\rp4
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\ps5
2008-02-06 10:58 . 2008-02-06 10:58 <DIR> d-------- C:\WINDOWS\system32\cz6
2008-02-06 10:58 . 2008-02-06 11:07 <DIR> d-------- C:\WINDOWS\system32\bm1
2008-02-06 10:52 . 2008-02-06 10:52 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 10:18 . 2008-01-28 10:18 7,303 --a------ C:\WINDOWS\saplogonold.ini
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Program Files\Common Files\ArchestrA
2008-01-28 08:26 . 2008-01-28 08:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ArchestrA
2008-01-25 09:28 . 2008-02-14 10:00 <DIR> d-------- C:\WINDOWS\system32\VPCache
2008-01-25 09:28 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\svcSMS\WINDOWS
2008-01-25 09:28 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\svcSMS\SapWorkDir
2008-01-25 09:28 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\svcSMS\Application Data\Intel
2008-01-25 09:28 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\svcSMS\Application Data\Citrix
2008-01-25 09:27 . 2003-02-23 02:05 10,176 --a------ C:\WINDOWS\system32\idisw2km.dll
2008-01-25 09:27 . 2003-02-23 02:05 7,744 --a------ C:\WINDOWS\system32\drivers\kbstuff5.sys
2008-01-25 09:27 . 2003-02-23 02:05 2,704 --a------ C:\WINDOWS\system32\drivers\idisw2km.sys
2008-01-25 09:25 . 2006-10-24 05:42 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\WINDOWS
2008-01-25 09:25 . 2006-10-25 12:39 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\SapWorkDir
2008-01-25 09:25 . 2006-10-25 12:48 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\Application Data\Intel
2008-01-25 09:25 . 2006-10-24 10:56 <DIR> d-------- C:\Documents and Settings\SMSCliSvcAcct&\Application Data\Citrix
2008-01-25 09:24 . 2008-01-25 09:24 <DIR> d-------- C:\WINDOWS\system32\smsmsgs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 18:36 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\U3
2008-02-23 00:19 --------- d-----w C:\Program Files\Trend Micro
2008-01-31 22:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-17 16:52 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-01-17 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2008-01-17 16:51 --------- d-----w C:\Documents and Settings\tmcguire\Application Data\eFax Messenger
2008-01-17 14:20 --------- d-----w C:\Program Files\Srs
2008-01-17 14:20 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-17 14:20 --------- d-----w C:\Program Files\Borland
2008-01-17 14:19 --------- d-----w C:\Program Files\JavaSoft
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\SAP Shared
2008-01-17 13:14 --------- d-----w C:\Program Files\Common Files\ESRI
2008-01-17 13:12 --------- d-----w C:\Program Files\SAP
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2008-01-16 22:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\eFax Messenger
2008-01-16 22:16 --------- d-----w C:\Program Files\TechSmith
2008-01-16 21:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 21:44 --------- d-----w C:\Program Files\Wave Systems Corp
2006-12-29 20:15 626,688 ----a-w C:\Program Files\Common Files\sapconsaccess.dll
2006-12-29 20:15 40,960 ----a-w C:\Program Files\Common Files\DigitalSignature.ocx
2006-12-29 20:15 3,100,672 ----a-w C:\Program Files\Common Files\sapxlhelper.dll
2006-12-29 20:15 192,512 ----a-w C:\Program Files\Common Files\sapconsr3.dll
2006-12-07 15:26 1,129,984 ----a-w C:\Program Files\Common Files\SAPActiveXL.xlt
2006-12-07 15:26 1,124,864 ----a-w C:\Program Files\Common Files\SAPActiveXL_nosig.xlt
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

- Invalid filepath

---- Directory of C:\WINDOWS\system32\bm1 ----


---- Directory of C:\WINDOWS\system32\cz6 ----


---- Directory of C:\WINDOWS\system32\ps5 ----

2008-01-05 16:48 126976 --a------ C:\WINDOWS\system32\ps5\advcomms3.exe

---- Directory of C:\WINDOWS\system32\rp4 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"internat"="internat.exe" []
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"mssdbsrv"="C:\WINDOWS\system32\msupdtck.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"o2klang"="c:\windows\langver.exe" [2003-01-28 11:38 163435]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 07:00 143360]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 03:08 1347584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 02:04 53248]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 13:33 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 08:58 1032192]
"Trend OfficeScan ImageSetup"="C:\WINDOWS\OEM\TRENDM\ImgSetup.exe" [ ]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 19:55 335872]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 11:30 282624 C:\WINDOWS\stsystra.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 17:38 28160 C:\WINDOWS\KHALMNPR.Exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SMS Application Launcher"="C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE" [2003-02-23 02:05 73584]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-19 15:14 2136208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2008-01-31 17:08:49 25214]
Cisco Systems VPN Client.lnk - C:\Program Files\cisco systems\vpn client\vpngui.exe [2006-10-25 12:27:25 1445904]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2004-10-12 20:33:08 213264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=c:\winnt\system32\setadmin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\0\0]
"Script"=folder_redirect.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-606747145-725345543-44281\Scripts\Logon\1\0]
"Script"=us.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 17:18:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Citrix\ICA Client\pnsson.dll
.
Completion time: 2008-02-25 17:19:53
ComboFix-quarantined-files.txt 2008-02-25 22:19:48