HIJACKTHIS log attached - Recently attacked by Trojan.Dropper.. run

[cflannagan]

I guess I spoke too soon! As I was downloading the new JRE, a popup came up.. I just ignore it (didn't click anything).. installed JRE, then deleted the temporary Internet files. I closed the popup.. this time when I close the popup additional popups didn't come.

Logfile of HijackThis v1.99.1
Scan saved at 7:53:36 AM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/Vid...etup/setup.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

[Rawe]

Go ahead and delete KillBox & MWaV.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----

Please run the F-Secure Online Scanner

Note: This scanner is for Internet Explorer only!

• Follow the instructions here for installation.
• Accept the License Agreement.
• Once the ActiveX installs, click Full System Scan
• Once the download completes, the scan will begin automatically.
• The scan will take some time to finish, so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and copy & paste the entire report in your next reply.

[cflannagan]

Followup:

I also deleted two suspicious looking entries in Display Properties -> Desktop Tab -> Customize Desktop.. -> Web tab

The following lines were deleted:

C:\\Program Files\\NetMeeting\\podoci.html

C:\\Program Files\\Internet Explorer\\mebezane.html


podoci.html was previously identified as bad entry in this thread; it's the first time I saw mebezane.. didn't show up in any logs? Both of those lines were checked.

Should I remove the 3rd entry that says "My Current Home Page"?

I checked REGEDIT and can confirm they're gone from the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\

[cflannagan]

Sorry, was typing my post as you sent yours.. Will do your instructions now

Many thanks for continued scrunity in removing the malware from my PC

[Rawe]

No need to uncheck My current homepage..

[cflannagan]

Fprot Online scan report

Scanning Report
Monday, September 18, 2006 08:43:22 - 09:43:14
Computer name: OVERCLOCKER
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 33798
System: 4643
Not scanned: 3
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-18
F-Secure Libra: 2.4.1, 2006-09-16
F-Secure Orion: 1.2.37, 2006-09-18
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-14
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

[Rawe]

Its clean.

Lets run a rootkit scan...

Download GMER:

• Unzip it and double-click GMER.exe
• Click the rootkit-tab and click scan.
• Once done, click Copy.
• This will copy the results to clipboard.
• Paste the results in your next reply.

[cflannagan]

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-18 10:09:42
Windows 5.1.2600 Service Pack 2


---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----

[cflannagan]

Here's the same log, with "Show All" checked:

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-18 10:53:19
Windows 5.1.2600 Service Pack 2


---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db:encryptable
ADS C:\Documents and Settings\All Users\Documents\SmitfraudFix.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\ATF-Cleaner.exe:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\combofix.exe:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\gmer.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\Hammer.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\HAMMER_WEBSITE.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\hijackthis.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\jre-1_5_0_08-windows-i586-p.exe:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\MGADiag.exe:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\Old HDD\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\Desktop\ResHack.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004-06 (Jun)\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004-09 (Sep)\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004.05.31 pixs\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004.07.01 pixs\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004.07.19 pixs\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\Anita's Graduate Pixs\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\BMS workspace\Deafworkspcsm.com\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\BMS workspace\images\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\BMS workspace\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\digital camera\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\Microsoft Clip Organizer\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\My Slideshow\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\Zephan's 2nd bday party photos\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Webs\Flannagan\images\Thumbs.db:encryptable
ADS C:\Look2Me-Destroyer.exe:Zone.Identifier
ADS C:\Projects\GLOBALPARTNERS_WEBSITE\_img\hc\Thumbs.db:encryptable
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP241\A0023909.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP253\A0031999.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037200.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037416.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037417.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037422.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP273\A0037952.exe:Zone.Identifier

---- EOF - GMER 1.0.11 ----

[Rawe]

Looking good

Hows the system running now? Popups? Problems?

If you get warnings from your Anti-virus app, then please let me know and also let me know the filepaths if it gives you any.